Microsoft has taken down an undisclosed variety of GitHub repositories utilized in an enormous malvertising marketing campaign that impacted nearly a million gadgets worldwide.
The corporate’s menace analysts detected these assaults in early December 2024 after observing a number of gadgets downloading malware from GitHub repos, malware that was later used to deploy a string of varied different payloads on compromised programs.
After analyzing the marketing campaign, they found that the attackers injected adverts into movies on unlawful pirated streaming web sites that redirect potential victims to malicious GitHub repositories underneath their management.
“The streaming web sites embedded malvertising redirectors inside film frames to generate pay-per-view or pay-per-click income from malvertising platforms,” Microsoft defined in the present day. “These redirectors subsequently routed site visitors by way of one or two extra malicious redirectors, finally main to a different web site, akin to a malware or tech assist rip-off web site, which then redirected to GitHub.”
The malvertising movies redirected customers to the GitHub repos that contaminated them with malware designed to carry out system discovery, accumulate detailed system data (e.g., reminiscence dimension, graphic particulars, display screen decision, working system (OS), and person paths), and exfiltrate the harvested information whereas deploying extra stage-two payloads.
A 3rd-stage PowerShell script payload then downloads the NetSupport distant entry trojan (RAT) from a command-and-control server and establishes persistence within the registry for the RAT. As soon as executed, the malware also can deploy the Lumma info stealer malware and the open-source Doenerium infostealer to exfiltrate person information and browser credentials.
However, if the third-stage payload is an executable file, it creates and runs a CMD file whereas dropping a renamed AutoIt interpreter with a .com extension. This AutoIt part then launches the binary and should drop one other model of the AutoIt interpreter with a .scr extension. A JavaScript file can also be deployed to assist execute and achieve persistence for .scr recordsdata.
Within the final stage of the assault, the AutoIt payloads use RegAsm or PowerShell to open recordsdata, allow distant browser debugging, and exfiltrate extra info. In some instances, PowerShell can also be used to configure exclusion paths for Home windows Defender or to drop extra NetSupport payloads.
Whereas GitHub was the first platform to host payloads delivered through the marketing campaign’s first stage, Microsoft Menace Intelligence additionally noticed payloads hosted on Dropbox and Discord.
“This exercise is tracked underneath the umbrella identify Storm-0408 that we use to trace quite a few menace actors related to distant entry or information-stealing malware and who use phishing, SEO (search engine marketing), or malvertising campaigns to distribute malicious payloads,” Microsoft stated.
“The marketing campaign impacted a variety of organizations and industries, together with each shopper and enterprise gadgets, highlighting the indiscriminate nature of the assault.”
Microsoft’s report offers extra and extra detailed info relating to the assorted levels of the assaults and the payloads used throughout the multi-stage assault chain of this advanced malvertising marketing campaign.
