Hackers look to trick GitHub users with intricate malware

GitHub users are under attack once again, as researchers spot yet another creative malware campaign on the popular platform.

This campaign seeks to deliver clipper malware, and has a unique approach to increase visibility, while decreasing the chances of being flagged by antivirus programs.

According to cybersecurity researchers from Checkmarx, an unnamed threat actor created malicious GitHub repositories, using names and topics that are popular and frequently searched for. Then, they automated the update mechanism, regularly changing the date, and other meaningless information, in the log file. That way, the repository was always at the very top of the search results, especially in the “recently updated” category.

Keysetzu clipper

The hackers also used fake accounts to add positive reviews and five-star ratings to further boost the malware’s visibility and credibility. While this isn’t a new technique, the threat actors didn’t overdo it with great ratings this time around, keeping a low profile.

At the same time, the malware was padded with many zeros, artificially inflating its size to exceed 32MB. That way, many antivirus programs and platforms, including VirusTotal, did not scan it.

The goal of the campaign was to drop clipper malware. Clippers usually steal clipboard information (copy/paste data) and are often used in cryptocurrency theft. When sending money, crypto users usually copy and paste the recipient’s wallet address (since it’s a long string of random characters and impractical, if not impossible, to memorize). In this process, the clipper malware will replace the recipient’s wallet with that of the attackers, tricking the victim into sending their money to the wrong address.

Unless the money is being transferred from a centralized exchange, the transactions are impossible to stop or revert. The money is gone for good.

Analyzing the malware, the researchers said it bears many similarities to the Keyzetsu clipper, which was first observed in mid-2023. Apparently, it will not activate on a computer located in Russia.