Microsoft has taken down an undisclosed variety of GitHub repositories utilized in a large malvertising marketing campaign that impacted virtually a million gadgets worldwide.
The corporate’s risk analysts detected these assaults in early December 2024 after observing a number of gadgets downloading malware from GitHub repos, malware that was later used to deploy a string of varied different payloads on compromised techniques.
After analyzing the marketing campaign, they found that the attackers injected advertisements into movies on unlawful pirated streaming web sites that redirect potential victims to malicious GitHub repositories below their management.
“The streaming web sites embedded malvertising redirectors inside film frames to generate pay-per-view or pay-per-click income from malvertising platforms,” Microsoft defined in the present day. “These redirectors subsequently routed site visitors by means of one or two extra malicious redirectors, finally main to a different web site, resembling a malware or tech help rip-off web site, which then redirected to GitHub.”
The malvertising movies redirected customers to the GitHub repos that contaminated them with malware designed to carry out system discovery, gather detailed system information (e.g., reminiscence measurement, graphic particulars, display screen decision, working system (OS), and consumer paths), and exfiltrate the harvested information whereas deploying extra stage-two payloads.
A 3rd-stage PowerShell script payload then downloads the NetSupport distant entry trojan (RAT) from a command-and-control server and establishes persistence within the registry for the RAT. As soon as executed, the malware may deploy the Lumma info stealer malware and the open-source Doenerium infostealer to exfiltrate consumer information and browser credentials.
However, if the third-stage payload is an executable file, it creates and runs a CMD file whereas dropping a renamed AutoIt interpreter with a .com extension. This AutoIt part then launches the binary and should drop one other model of the AutoIt interpreter with a .scr extension. A JavaScript file can also be deployed to assist execute and achieve persistence for .scr information.
Within the final stage of the assault, the AutoIt payloads use RegAsm or PowerShell to open information, allow distant browser debugging, and exfiltrate extra info. In some instances, PowerShell can also be used to configure exclusion paths for Home windows Defender or to drop extra NetSupport payloads.
Whereas GitHub was the first platform to host payloads delivered throughout the marketing campaign’s first stage, Microsoft Risk Intelligence additionally noticed payloads hosted on Dropbox and Discord.
“This exercise is tracked below the umbrella identify Storm-0408 that we use to trace quite a few risk actors related to distant entry or information-stealing malware and who use phishing, SEO (website positioning), or malvertising campaigns to distribute malicious payloads,” Microsoft mentioned.
“The marketing campaign impacted a variety of organizations and industries, together with each client and enterprise gadgets, highlighting the indiscriminate nature of the assault.”
Microsoft’s report gives extra and extra detailed info relating to the varied phases of the assaults and the payloads used throughout the multi-stage assault chain of this complicated malvertising marketing campaign.
