this post was submitted on 12 Apr 2024
16 points (100.0% liked)

Security

5018 readers
1 users here now

Confidentiality Integrity Availability

founded 4 years ago
MODERATORS
top 1 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 7 months ago* (last edited 7 months ago)

Key Points

GitHub search manipulation: Attackers create malicious repositories with popular names and topics, using techniques like automated updates and fake stars to boost search rankings and deceive users.


Malicious code is often hidden within Visual Studio project files (.csproj or .vcxproj) to evade detection, automatically executing when the project is built.
The attacker had set up the stage to modify the payload based on the victim's origin, checking specifically if the victim is based in Russia. At this point, we don't see this ability activated.



The recent malware campaign involves a large, padded executable file that shares similarities with the "Keyzetsu clipper" malware, targeting cryptocurrency wallets.
The malware establishes persistence on infected Windows machines by creating a scheduled task that runs the malicious executable daily at 4AM without user confirmation.



Developers should be cautious when using code from public repositories and watch for suspicious repository properties, such as high commit frequencies and stargazers with recently created accounts.

edit: formatting