April 10, 2024 at 10:21AM
Threat actors are exploiting GitHub automation features to distribute a variant of the “Keyzetsu” clipboard-hijacking malware via fake repositories named after popular topics. They use GitHub Actions to boost rankings and create fake accounts to add false popularity. The malware, hidden in Visual Studio projects, aims to steal cryptocurrency payments by replacing clipboard content. To mitigate, review suspicious repository activity.
Based on the meeting notes, it is clear that threat actors are utilizing GitHub automation features and Visual Studio projects to distribute a new variant of the Keyzetsu clipboard-hijacking malware. The attackers are creating GitHub repositories with names designed to rank well in search results and using various methods to artificially boost their visibility on the platform, including automating updates through GitHub Actions and creating fake accounts to provide bogus stars.
The malware payload is hidden within Visual Studio project files and is executed during the project build. The script that executes during the project build involves wiping temporary files, determining the location of the infected system, downloading and executing encrypted files, and executing a large encrypted executable named ‘feedbackAPI.exe’ starting from April 3, 2024.
The final payload is a variant of the Keyzetsu clipboard malware, which replaces the contents of the Windows clipboard with the attacker’s own data. This allows the attackers to divert cryptocurrency payments to their own wallets by swapping the victim’s copied cryptocurrency addresses.
To protect against such supply chain attacks and malicious code hosted on GitHub, it is advised to review repository activity for suspicious patterns, such as numerous commits or stars received by accounts all created around the same time. These cautionary measures should help in identifying and preventing potential threats.