Thursday, January 23, 2025
Homecyber securityHackers Manipulate GitHub Search To Deliver Clipboard-Hijacking Malware

Hackers Manipulate GitHub Search To Deliver Clipboard-Hijacking Malware

Published on

SIEM as a Service

Follow Us on Google News

In a sophisticated cyberattack campaign uncovered on April 10, 2024, cybercriminals are exploiting GitHub’s search functionality to distribute a particularly insidious form of malware, known as “Keyzetsu clipper,” targeting cryptocurrency wallets.

This new wave of attacks highlights cybercriminals’ evolving tactics and raises significant concerns over the security of open-source supply chains.

The attackers have ingeniously crafted repositories with popular names and topics, employing automated updates and fake popularity metrics to manipulate GitHub’s search rankings.

Manipulate GitHub Search

This manipulation ensures their malicious repositories appear at the top of search results, deceiving unsuspecting users into downloading malware-laden code.

The Mechanics Of The Attack

The core of this attack lies in manipulating GitHub’s search functionality.

According to the Checkmarx report, attackers make it challenging for users to distinguish between benign and malicious code by creating repositories that mimic legitimate projects, often related to popular games, cheats, or tools.

These repositories are designed to appear more credible and attractive to potential victims by leveraging GitHub Actions for automatic updates, which boosts their visibility in search results.

One of this campaign’s most alarming aspects is the use of Visual Studio project files (.csproj or .vcxproj) to conceal the malicious code.

Manipulate GitHub Search

This code is crafted to automatically execute when the project is built, making detection even more challenging.

Furthermore, the attackers have prepared the malware to modify its payload based on the victim’s geographic location, although this functionality was not activated at the time of discovery.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

The Threat Of “Keyzetsu Clipper”

The malware at the heart of this campaign, dubbed “Keyzetsu clipper,” is designed to hijack the clipboard of infected Windows machines.

This allows the malware to replace cryptocurrency wallet addresses copied to the clipboard with addresses controlled by the attackers, effectively diverting cryptocurrency transactions to their wallets.

The malware establishes persistence on the infected machines, ensuring its continued operation even after rebooting the system.

This attack underscores the vulnerabilities inherent in the open-source supply chain, particularly the reliance on platforms like GitHub for code sharing and collaboration.

The clever manipulation of GitHub’s search functionality to distribute malware represents a significant escalation in the sophistication of cyberattacks targeting developers and the broader open-source community.

In response to these findings, cybersecurity experts are urging developers and users to exercise increased vigilance when downloading code from GitHub.

Recommendations include verifying the authenticity of repositories, scrutinizing project files for unusual code, and employing robust security solutions capable of detecting and neutralizing such threats.

As the cyber threat landscape continues to evolve, the discovery of this campaign serves as a stark reminder of the need for constant vigilance and proactive security measures within the open-source ecosystem.

The collaborative nature of open-source development, while one of its greatest strengths, also presents unique challenges in safeguarding against such sophisticated and deceptive attacks.

In conclusion, the manipulation of GitHub search to distribute clipboard-hijacking malware marks a significant development in cybercriminal tactics, highlighting the ongoing battle between attackers seeking to exploit digital platforms and the cybersecurity community’s efforts to protect them.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free 

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

CYFIRMA's Research and Advisory team has identified a new strain of ransomware labeled "Nnice,"...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

CYFIRMA's Research and Advisory team has identified a new strain of ransomware labeled "Nnice,"...