Executive Summary
Threat actors are taking advantage of GitHub’s search functionalities to deceive users looking for popular repositories into downloading malicious counterparts that serve malware, according to a new report from Checkmarx. Attackers are utilizing techniques like automated updates and fake stars to boost search rankings and deceive users.
Community Threat Assessment
The use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to the open-source ecosystem. By exploiting GitHub’s search functionality and manipulating repository properties, attackers can lure unsuspecting users into downloading and executing malicious code. RH-ISAC recommends Core Members review the information included in this report and review the relevant collection of Indicators of Compromise (IOCs), which have been included at the bottom of this report for your awareness.
Background
Checkmarx’s recent findings reveal an unnamed threat actor creating multiple GitHub repositories with names and topics likely to be searched by unsuspecting users. These repositories are disguised as legitimate projects, often related to popular games, cheats, or tools, making it difficult for users to distinguish them from benign code. To ensure maximum visibility, the attackers employ several novel techniques that consistently place their malicious repositories at the top of GitHub search results, including:
- By leveraging GitHub Actions, the attackers automatically update the repositories at a very high frequency by modifying a file, usually called “log,” with the current date and time or just some random small change. This continuous activity artificially boosts the repositories’ visibility, especially for instances where users filter their results by “most recently updated,” increasing the likelihood of unsuspecting users finding and accessing them.
- Attackers employed multiple fake accounts to add bogus stars, creating an illusion of popularity and trustworthiness. This artificially boosts the repositories’ visibility further, especially for instances where users filter their results by “most stars.” In contrast to past incidents where attackers were found to add hundreds or thousands of stars to their repos, it appears that in these cases, the attackers opted for a more modest number of stars, probably to avoid raising suspicion with an exaggerated number.
- The attackers conceal their malware primarily as obfuscated code deep within the .csproj or .vcxproj files of the repository, files commonly used in Visual Studio project, to decrease the chances of the average user detecting it unless they proactively search for suspicious elements.
These findings and techniques come as Checkmarx previously reported a black market comprising online stores and chat groups that are selling GitHub stars to artificially boost a repository’s popularity, a technique referred to as star inflation. The star inflation technique can utilized with the methods listed above to further propagate and deliver malicious repositories
Indicators of Compromise
The following IOCs, provided below by Checkmarx, are provided for community awareness and ingestion:
- hxxps[:]//cdn.discordapp[.]com/attachments/1192526919577649306/1211404800575537304/VisualStudioEN.7z?ex=6612fda3&is=660088a3&hm=5ae3b1b5d2c7dc91a9c07a65dbf8c61d3822b1f16a2d7c70eb37a039979e8290&
- hxxps[:]//cdn.discordapp[.]com/attachments/1192526919577649306/1211403074799804476/VisualStudioRU.7z?ex=6612fc07&is=66008707&hm=0a7fc9432f5ef58960b1f9a215c3feceb4e7704afd7179753faa93438d7e8f54&
- 08b799d56265e93f6aae4f089808d1cb
- cc9d54b78688ef6f41e4f4d0c8bced3e04bfcedc
- ooocyber[.]keenetic[.]pro
- 188[.]113[.]132[.]109
- hxxps[://]rentry[.]co/MuckCompanyMMC/raw
- hxxps[:]//rentry[.]co/hwqfx/raw
- hxxps[:]//rentry[.]co/q3i7zp/raw
- hxxps[:]//rentry[.]co/tvfwh/raw
- hxxps[:]//cdn[.]discordapp.com/attachments/1193658583947149322/1218876343232630844/main.exe?ex=6609420d&is=65f6cd0d&hm=f5a0af7499e892637935c3e4071f2dc59d48214f56a1c1d7aedc3392f58176db&
- hxxps[:]//paste[.]fo/raw/dd6cd76eb5a0
- hxxps[:]//paste[.]fo/raw/efda79f59c55
- hxxps[:]//rentry[.]co/4543t/raw
- hxxps[:]//rentry[.]co/a2edp
- hxxps[:]//textbin[.]net/raw/gr2vzmwcvt
