Microsoft has removed some undisclosed GitHub repositories leveraged in a massive malvertising campaign that affected nearly 1 million devices worldwide. The company had this to say:
In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.
GitHub was the primary platform used in the delivery of the initial access payloads and is referenced throughout this blog post; however, Microsoft Threat Intelligence also observed one payload hosted on Discord and another hosted on Dropbox.
The GitHub repositories, which were taken down, stored malware used to deploy additional malicious files and scripts. Once the initial malware from GitHub gained a foothold on the device, the additional files deployed had a modular and multi-stage approach to payload delivery, execution, and persistence. The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host. This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads.
I have a number of comments on this. Starting with Ensar Seker, CSO at SOCRadar:
“The attackers used geofencing, device fingerprinting, and cloaking techniques to evade detection, which means the malicious payload is only delivered to targeted users, making it harder for security solutions to track and mitigate the campaign.
This campaign is likely part of a broader MaaS (Malware as a Service) ecosystem, where attackers use pre-built malvertising kits to distribute payloads like stealers, ransomware, and banking trojans. Malvertising has traditionally targeted Windows users, but with more professionals using macOS and Linux, we’ll see cross-platform payloads becoming more common.”
Roger Grimes, data-driven defense evangelist at KnowBe4 follows with this:
“It’s important to remember that despite the ingenuity and complexity of this malware dropper campaign, the victims still had to be socially engineered into executing the content on their system for their system to be compromised. They didn’t just see a (malicious) advertisement, click on it, and get compromised. No, they had been socially engineered into not only clicking on the ad, but then into approving the resultant prompts that then ran the malicious content (as long as they were fully patched). Seventy to ninety percent (70% – 90%) of all successful data breaches involve social engineering. A common type of social engineering is malicious advertising. Make sure your users are aware of how not every ad or internet search will lead them to a good place. In fact, these ads and Internet search returns often lead people to bad places. It’s something they need to be aware of.”
It’s good that Microsoft has taken action to take these repositories down. Hopefully they can maintain their vigilance to make sure that this doesn’t become a common occurrence.
Related
This entry was posted on March 7, 2025 at 10:45 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Malvertising Campaign Leads to GitHub-Hosted Info Stealers
Microsoft has removed some undisclosed GitHub repositories leveraged in a massive malvertising campaign that affected nearly 1 million devices worldwide. The company had this to say:
In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.
GitHub was the primary platform used in the delivery of the initial access payloads and is referenced throughout this blog post; however, Microsoft Threat Intelligence also observed one payload hosted on Discord and another hosted on Dropbox.
The GitHub repositories, which were taken down, stored malware used to deploy additional malicious files and scripts. Once the initial malware from GitHub gained a foothold on the device, the additional files deployed had a modular and multi-stage approach to payload delivery, execution, and persistence. The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host. This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads.
I have a number of comments on this. Starting with Ensar Seker, CSO at SOCRadar:
“The attackers used geofencing, device fingerprinting, and cloaking techniques to evade detection, which means the malicious payload is only delivered to targeted users, making it harder for security solutions to track and mitigate the campaign.
This campaign is likely part of a broader MaaS (Malware as a Service) ecosystem, where attackers use pre-built malvertising kits to distribute payloads like stealers, ransomware, and banking trojans. Malvertising has traditionally targeted Windows users, but with more professionals using macOS and Linux, we’ll see cross-platform payloads becoming more common.”
Roger Grimes, data-driven defense evangelist at KnowBe4 follows with this:
“It’s important to remember that despite the ingenuity and complexity of this malware dropper campaign, the victims still had to be socially engineered into executing the content on their system for their system to be compromised. They didn’t just see a (malicious) advertisement, click on it, and get compromised. No, they had been socially engineered into not only clicking on the ad, but then into approving the resultant prompts that then ran the malicious content (as long as they were fully patched). Seventy to ninety percent (70% – 90%) of all successful data breaches involve social engineering. A common type of social engineering is malicious advertising. Make sure your users are aware of how not every ad or internet search will lead them to a good place. In fact, these ads and Internet search returns often lead people to bad places. It’s something they need to be aware of.”
It’s good that Microsoft has taken action to take these repositories down. Hopefully they can maintain their vigilance to make sure that this doesn’t become a common occurrence.
Share this:
Like this:
Related
This entry was posted on March 7, 2025 at 10:45 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.