Newly one million devices have been impacted by a malvertising campaign redirecting users to information stealer malware hosted on GitHub, Microsoft reports.
The campaign, attributed to a threat actor tracked as Storm-0408, targeted the visitors of illegal streaming websites, where malvertising redirectors led to an intermediate site and then to the Microsoft-owned code hosting platform.
The opportunistic attacks, which mainly relied on GitHub to host malware, but also on Discord and Dropbox, impacted “a wide range of organizations and industries, including both consumer and enterprise devices”, Microsoft says.
The multi-layers infection chain observed in these attacks included the GitHub-hosted first-stage payload acting as a dropper, second-stage files for system discovery and system information theft, and third-stage payloads for additional malicious activities.
Once installed on a victim’s device, the malware stored in GitHub repositories would fetch and deploy additional files and scripts, to harvest additional system information, achieve persistence, execute commands, and exfiltrate data from the compromised systems.
Specifically, Microsoft identified information stealers such as Lumma stealer and an updated version of Doenerium being deployed on victims’ systems, along with the NetSupport remote monitoring and management (RMM) software, and various PowerShell, JavaScript, VBScript, and AutoIT scripts.
For command-and-control (C&C) operations and data and browser credential exfiltration, the threat actors employed living-off-the-land binaries and scripts such as PowerShell, MSBuild, and RegAsm. For persistence, the attackers modified registry run keys and added a shortcut file to the Startup folder.
According to Microsoft, the first-stage payloads used in the campaign were digitally signed. Microsoft identified and revoked 12 different certificates used as part of the attacks.
The tech giant has provided technical details on the observed malicious files and scripts, along with indicators of compromise (IoCs), urging organizations and users to ensure their systems are properly protected against such attacks.
Related: Network of 3,000 GitHub Accounts Used for Malware Distribution
Related: Threat Actors Abuse GitHub to Distribute Multiple Information Stealers
Related: US Transportation and Logistics Firms Targeted With Infostealers, Backdoors
Related: Threat Actor Uses Multiple Infostealers in Global Campaign
