Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
A new advisory from Microsoft Threat Intelligence stated that in December 2024 it detected a large-scale campaign using the developer platform as the primary vehicle to deliver the initial access payloads used in attacks.
The campaign’s initial stage injects adverts into videos on illegal streaming platforms which redirect potential victims to malicious GitHub repositories.
The repositories, which have now been taken down, were used to deploy a series of files and scripts as part of a “modular and multi-stage approach to payload delivery, execution, and persistence”, Microsoft detailed.
“The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host.”
Some of these malicious payloads include Lumma stealer, an updated version of the Doenerium infostealer, as well as the use of the remote monitoring and management (RMM) tool NetSupport.
Microsoft said it was tracking the activity under an umbrella name Storm-0409 used to track a number of threat actors associated with remote access or infostealer malware, and who use malvertising campaigns to deliver these payloads.
The report noted that while GitHub was the primary platform used to deliver the malicious payloads, it also observed individual instances of the threat actors using Discord and Dropbox in the campaign too.
GitHub struggles to contain malicious actors
GitHub has become a popular destination for hackers looking to host their attack infrastructure, with a string of attacks specifically targeting developers on the platform in recent years.
Kevin Kirkwood, CISO at Exabeam, said he was encouraged to see Microsoft taking action to mitigate the abuse of its platforms by cyber criminals, but noted the campaign exposes a broader problem Microsoft and others are facing around controlling misuse of platforms.
"It’s great news to hear that Microsoft has taken steps to mitigate the problem of a very large set of operations that were occurring in a number of GitHub repositories,” he commented.
“The problem is the level playing field that free and open-source software (FOSS) delivery systems offer to both the normal development community and the threat actor community. The developer is cruising for new libraries and code snippets outside of the containment offered by the corporate environment and the threat actor is masking and putting out malicious code in order to do their ‘job’.”
Kirkwood added that by the very nature of being open, these platforms will never be totally safe from malign forces exploiting its permissive access conditions, but major players like GitHub could do more to create trust on the platform.
“The playing field may never change completely, but having a zone for curated and clean libraries, code, and code snippets that have been thoroughly vetted, as well as having developers that play within the controlled domains helps,” he explained.
“Managing the process where a wider search is needed for exploration for software solutions and scanning routines that can detect the run time behavior of inbound software will be the best case for FOSS seekers."
MORE FROM ITPRO
