Massive Malvertising Campaign Hits One Million Devices, Microsoft Warns

By /

Listen to this Post

A New Cyber Threat Exploits GitHub for Malware Distribution

A massive malvertising campaign has compromised nearly one million devices, redirecting unsuspecting users to information-stealing malware hosted on GitHub, Microsoft has reported.

This campaign, attributed to a cybercriminal group tracked as Storm-0408, primarily targeted visitors of illegal streaming websites. Malicious advertisements (malvertising) led users through a series of redirects, ultimately delivering malware via Microsoft’s own code hosting platform, GitHub.

The attacks affected a broad range of industries, impacting both personal and enterprise devices. The infection chain included multiple stages, beginning with a GitHub-hosted dropper that deployed additional files to gather system data and steal sensitive information.

Once installed, the malware could execute further malicious activities, such as achieving persistence, executing commands, and exfiltrating critical data. Microsoft identified two key information stealers—Lumma Stealer and an updated version of Doenerium—along with NetSupport remote monitoring software, and various malicious scripts leveraging PowerShell, JavaScript, VBScript, and AutoIT.

The attackers employed sophisticated techniques, using living-off-the-land binaries and scripts for command-and-control operations. To maintain persistence, they manipulated registry run keys and created startup shortcuts. Alarmingly, Microsoft found that the initial malware payloads were digitally signed with at least 12 different certificates, which have since been revoked.

In response, Microsoft has provided technical details and indicators of compromise (IoCs) to help organizations detect and mitigate these threats. The company urges users and businesses to strengthen their cybersecurity defenses to prevent further exploitation.

What Undercode Says:

This campaign highlights the growing sophistication of cybercriminal tactics, particularly their ability to weaponize legitimate platforms such as GitHub, Discord, and Dropbox for malware distribution. The abuse of trusted platforms adds credibility to their attacks, making them harder to detect and block.

Why Is This Attack Significant?

  1. Scale and Impact: One million devices compromised is a staggering figure. This campaign demonstrates the reach of modern cyber threats, which can spread rapidly through deceptive online ads.
  2. Legitimate Platforms Abused: The attackers leveraged GitHub, a well-known and trusted platform, to host and distribute malware, making it more difficult for security solutions to flag these activities as malicious.
  3. Multi-Stage Infection Chain: The malware didn’t just steal data—it used multiple stages to establish persistence, execute remote commands, and expand its reach within compromised systems.
  4. Digitally Signed Malware: The fact that the payloads were signed with valid certificates raises concerns about the effectiveness of current code-signing protections and the potential for abuse by threat actors.

How the Attack Worked

  • Malvertising as an Entry Point: Victims were lured through malicious ads on illegal streaming sites.
  • Multiple Redirects: Users were funneled through a chain of websites before landing on the malware-hosting GitHub repositories.
  • Payload Deployment: The GitHub-hosted dropper executed scripts to collect system information, deploy additional malware, and establish persistence.
  • Stealing Sensitive Data: Attackers used information stealers like Lumma Stealer and Doenerium to extract credentials, financial information, and other sensitive data.
  • Command-and-Control (C2) Operations: PowerShell, MSBuild, and RegAsm were used to maintain communication with attacker-controlled servers.

Broader Cybersecurity Implications

This incident is a wake-up call for both individuals and enterprises. Malvertising has become an increasingly popular attack vector, and legitimate services like GitHub, Dropbox, and Discord are frequently exploited for malware distribution. Businesses must implement stricter security policies for code repositories and train employees to recognize suspicious activity.

Organizations should also:

  • Monitor Network Traffic: Look for unusual traffic to GitHub, Discord, or Dropbox that could indicate malware communication.
  • Deploy Endpoint Protection: Advanced threat detection solutions can help identify malicious scripts and prevent infections.
  • Enforce Code-Signing Best Practices: Security teams must ensure that digital certificates are properly managed and not easily exploitable by attackers.

Microsoft’s Response and Next Steps
Microsoft’s swift action in revoking compromised certificates and publishing indicators of compromise (IoCs) is commendable. However, this attack underscores the need for continuous monitoring of trusted platforms and improved security controls to prevent similar incidents in the future.

Fact Checker Results

  • True: Microsoft confirmed that GitHub-hosted malware was used in the attacks.
  • True: The campaign affected nearly one million devices, according to Microsoft’s telemetry data.
  • True: The attackers leveraged signed certificates, 12 of which Microsoft has revoked.

References:

Reported By: https://www.securityweek.com/microsoft-says-one-million-devices-impacted-by-infostealer-campaign/
Extra Source Hub:
https://www.linkedin.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2

Join Our Cyber World:

Whatsapp
TelegramFeatured Image

Explore More: