Microsoft recently took down several GitHub repositories used in a widespread malvertising campaign. This campaign impacted nearly one million devices globally, with malware delivered through pirated streaming websites. The threat analysts at Microsoft discovered the attacks in early December 2024, as they tracked the download of malicious files from compromised GitHub repositories. The attackers used embedded ads within video content on illegal streaming sites to redirect victims to these dangerous repositories.
The malicious redirectors embedded in the video frames generated revenue through pay-per-click or pay-per-view models.
Once a victim visited the infected site, they were routed through multiple redirectors, ultimately landing on malicious websites. These websites redirected victims to GitHub, where malware was delivered to infected devices. The malware primarily performed system discovery, collecting details like memory size, OS information, and user paths, exfiltrating data while deploying additional payloads.
As the attack progressed, a third-stage PowerShell script payload downloaded the NetSupport RAT, which established persistence on the infected device.
The attackers also deployed Lumma and Doenerium infostealers to steal data, including browser credentials. In other instances, the third-stage payload took the form of an executable file, which triggered a series of components like renamed AutoIt interpreters and JavaScript files. These files helped to maintain persistence and execute further malicious actions on the compromised systems.
Microsoft tracked the activity under the name Storm-0408, covering multiple threat actors associated with remote access and information-stealing malware. While GitHub was the primary platform for delivering the payloads, Microsoft also observed infections from Dropbox and Discord. This campaign targeted a broad range of industries, affecting both consumer and enterprise devices. Microsoft emphasized the campaign’s indiscriminate nature and the sophistication of the multi-stage attack chain.
Reference:
