Microsoft has neutralised a large-scale malvertising campaign, which affected nearly one million devices globally, by taking down a number of GitHub repositories that were instrumental in the attack. The attacks involved the use of malware hosted on GitHub to infiltrate devices and deploy subsequent malicious payloads.
“The campaign impacted a wide range of organisations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack,” Microsoft said in a blog post.
Malvertising campaign’s multi-stage attack chain
Since early December 2024, Microsoft’s threat analysts detected that multiple devices were downloading malware from GitHub repositories. The attack is suspected to have originated from illegal streaming websites.
The attackers behind the campaign injected malicious ads into video streams on illegal pirated streaming sites, which redirected viewers to GitHub repositories under their control.
The streaming websites inserted malvertising redirectors within movie frames to generate revenue through pay-per-view or pay-per-click schemes from malvertising platforms. These redirectors then forwarded traffic through one or two additional malicious redirects, ultimately directing users to another site, such as a malware or tech support scam page, which subsequently redirected to GitHub.
Microsoft said that the malvertising campaign used a multi-tiered approach to compromise devices, with the complexity of the attack varying based on the specific payload delivered during the second stage.
The first-stage payload, hosted on GitHub, functioned as a dropper, setting the stage for the subsequent payloads. Once this initial payload was in place, the second-stage files kicked into action, performing system discovery tasks and gathering detailed system information. This included gathering extensive system information such as memory size, graphic details, screen resolution, operating system, and user paths. The system information was Base64-encoded and transmitted to an IP address via HTTP.
The nature of the third-stage payloads differed based on the preceding second-stage payload. Typically, these third-stage payloads carried out a range of malicious activities which included establishing command and control (C2) to download additional malicious files and facilitate data exfiltration.
In some cases, the third-stage payload would execute a CMD file and introduce an AutoIt interpreter to facilitate further malicious activities. The final stage of the attack involved using RegAsm or PowerShell to open files, enable remote browser debugging, and extract more information. In certain instances, PowerShell was used to bypass Windows Defender or to deliver more NetSupport payloads.
In addition to GitHub, Microsoft’s Threat Intelligence team also noted that Dropbox and Discord were used to host payloads.
“This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimisation (SEO), or malvertising campaigns to distribute malicious payloads,” Microsoft noted.
Read More: Microsoft expands legal action against AI abuse network Storm-2139
