Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
A new advisory from Microsoft Threat Intelligence stated that in December 2024 it detected a large-scale campaign using the developer platform as the primary vehicle to deliver the initial access payloads used in attacks.
The campaign’s initial stage injects adverts into videos on illegal streaming platforms which redirect potential victims to malicious GitHub repositories.
The repositories, which have now been taken down, were used to deploy a series of files and scripts as part of a “modular and multi-stage approach to payload delivery, execution, and persistence”, Microsoft detailed.
“The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host.”
Some of these malicious payloads include Lumma stealer, an updated version of the Doenerium infostealer, as well as the use of the remote monitoring and management (RMM) tool NetSupport.
Microsoft said it was tracking the activity under an umbrella name Storm-0409 used to track a number of threat actors associated with remote access or infostealer malware, and who use malvertising campaigns to deliver these payloads.
The report noted that while GitHub was the primary platform used to deliver the malicious payloads, it also observed individual instances of the threat actors using Discord and Dropbox in the campaign too.
GitHub struggles to contain malicious actors
GitHub has become a popular destination for hackers looking to host their attack infrastructure, with a string of attacks specifically targeting developers on the platform in recent years.
Kevin Kirkwood, CISO at Exabeam, said he was encouraged to see Microsoft taking action to mitigate the abuse of its platforms by cyber criminals, but noted the campaign exposes a broader problem Microsoft and others are facing around controlling misuse of platforms.
"It’s great news to hear that Microsoft has taken steps to mitigate the problem of a very large set of operations that were occurring in a number of GitHub repositories,” he commented.
“The problem is the level playing field that free and open-source software (FOSS) delivery systems offer to both the normal development community and the threat actor community. The developer is cruising for new libraries and code snippets outside of the containment offered by the corporate environment and the threat actor is masking and putting out malicious code in order to do their ‘job’.”
RELATED WHITEPAPER
Kirkwood added that by the very nature of being open, these platforms will never be totally safe from malign forces exploiting its permissive access conditions, but major players like GitHub could do more to create trust on the platform.
“The playing field may never change completely, but having a zone for curated and clean libraries, code, and code snippets that have been thoroughly vetted, as well as having developers that play within the controlled domains helps,” he explained.
“Managing the process where a wider search is needed for exploration for software solutions and scanning routines that can detect the run time behavior of inbound software will be the best case for FOSS seekers."
MORE FROM ITPRO
- Cobalt Strike abusers have been dealt a hammer blow
- Malicious GitHub repositories target users with malware
- Hackers have found yet another way to trick devs into downloading malware from GitHub
-
DocuWare CEO Michael Berger on the company’s rapid growthNews ChannelPro sat down with DocuWare CEO Michael Berger to discuss the company's rapid growth and channel strategy.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Organizations urged to act fast after GitHub Action supply chain attackNews More than 20,000 organizations may be at risk following a supply chain attack affecting tj-actions/changed-files GitHub Action.
-
'GitVenom' campaign uses dodgy GitHub repositories to spread malwareNews Security researchers have issued an alert over a campaign using GitHub repositories to distribute malware, with users lured in by fake projects.
-
Malicious GitHub repositories target users with malwareNews Criminals are exploiting GitHub's reputation to install Lumma Stealer disguised as game hacks and cracked software
-
A leaked GitHub access token could have led to a catastrophic supply chain attackNews The GitHub access token with administrator level privileges could have been used to great effect by threat actors
-
Hackers have found yet another way to trick devs into downloading malware from GitHubNews Threat actors have developed a new way to covertly embed malicious files into legitimate repositories on both GitHub and GitLab using the comment section
-
Hackers are abusing GitHub's search function to spread malware
News Hackers are using the names of popular GitHub repositories to trick users into downloading malicious code, new research reveals.
-
Hackers take advantage of AI hallucinations to sneak malicious software packages onto enterprise repositoriesNews New research reveals a novel attack path where threat actors could leverage nonexistent open-source packages hallucinated by models to inject malware into enterprise repositories
-
Hackers are spoofing themselves as GitHub's Dependabot to steal user passwordsNews GitHub Dependabot was crudely spoofed in hundreds of successful attacks on open source projects
