Microsoft Discovers Massive GitHub-Hosted Malware Campaign Affecting One Million Devices

 Attack Overview

Microsoft Threat Intelligence has uncovered a large-scale malvertising campaign that has infected nearly one million devices globally. Detected in early December 2024, this opportunistic attack campaign leveraged trusted platforms like GitHub to host and distribute information-stealing malware targeting both consumer and enterprise devices across various industries.

The campaign, tracked under Microsoft’s umbrella designation Storm-0408, represents a sophisticated multi-stage attack chain designed to steal sensitive information from compromised systems. What makes this attack particularly concerning is its widespread impact and the creative use of legitimate code hosting platforms to distribute malicious payloads.

 Attack Vector and Infection Chain

The attack originated from illegal streaming websites that embedded malvertising redirectors within movie frames. These redirectors were designed to generate pay-per-view or pay-per-click revenue from malvertising platforms while simultaneously initiating a complex redirection chain.

The full infection sequence consisted of four to five redirection layers:

1. Users visiting illegal streaming websites encountered embedded malvertising within iframes
2. These ads redirected through several intermediate malicious redirectors
3. Traffic was then sent to a malware or tech support scam website
4. Finally, users were redirected to GitHub (primarily), Discord, or Dropbox hosting the first-stage malware payload

(Redirection Chain – Source: Micrsoft Security)

Once the initial GitHub-hosted malware gained a foothold on the victim’s device, it deployed a modular, multi-stage attack:

• First Stage: Established an initial foothold by dropping a payload from GitHub repositories, many digitally signed with newly created certificates (12 in total, all of which have since been revoked)
• Second Stage: Conducted system discovery, collecting information on memory size, graphics details, screen resolution, operating system, and user paths, which was then Base64-encoded and exfiltrated to command and control servers
• Third Stage: Deployed PowerShell scripts and executable files to enable command execution, additional payload delivery, defensive evasion techniques, persistence, and data exfiltration
• Fourth Stage: Modified system security settings and delivered information-stealing malware

(Redirection Chain – Source: Micrsoft Security)

 Malware Payloads

The attack deployed several malicious payloads, including:

• Lumma Stealer and an updated version of Doenerium information stealers to collect system and browser information
• NetSupport RAT (Remote Access Trojan) for remote monitoring and control
• Various PowerShell, JavaScript, VBScript, and AutoIT scripts

The attackers incorporated living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe to exfiltrate user data and browser credentials. They established persistence through registry run key modifications and by adding shortcut files to the Windows Startup folder.

 Microsoft’s Recommended Remediation

Microsoft recommends the following mitigations to protect against this threat:

Strengthen Microsoft Defender for Endpoint Configuration:

• Ensure tamper protection is enabled
• Enable network protection and web protection
• Run endpoint detection and response (EDR) in block mode
• Configure investigation and remediation in full automated mode

Microsoft Defender XDR Customers Should Enable Attack Surface Reduction Rules:

• Block executable files from running unless they meet prevalence, age, or trusted list criterion
• Block execution of potentially obfuscated scripts
• Block JavaScript or VBScript from launching downloaded executable content
• Block process creations originating from PSExec and WMI commands
• Block credential stealing from Windows local security authority subsystem
• Block use of copied or impersonated system tools

 Strengthen Operating Environment Configuration:

• Require multi-factor authentication (MFA)
• Leverage phishing-resistant authentication methods
• Implement Entra ID Conditional Access authentication strength
• Encourage users to use Microsoft Edge and other browsers supporting Microsoft Defender SmartScreen
• Enable Network Level Authentication for Remote Desktop Service connections
• Enable Local Security Authority (LSA) protection
• Use AppLocker to restrict specific software tools prohibited within the organization

 How CinchOps Can Assist

At CinchOps, we recognize the severity of threats like the GitHub-hosted malware campaign and offer comprehensive solutions to protect your organization:

1. DNS Filtering and Web Security: We implement robust DNS filtering solutions to prevent access to illegal streaming sites and known malicious domains on corporate or business-owned devices, cutting off the initial attack vector.
2. Threat Detection and Response: Our advanced security monitoring services can identify suspicious activities associated with malvertising campaigns and information stealers, allowing for rapid mitigation.
3. Security Assessment: We conduct thorough evaluations of your environment to identify potential vulnerabilities that could be exploited by campaigns like Storm-0408.
4. Multi-factor Authentication Implementation: We help deploy robust MFA solutions that mitigate the risk of credential theft, a key objective of information-stealing malware.
5. Endpoint Protection Optimization: Our team ensures your Microsoft Defender for Endpoint or other security solutions are properly configured with all recommended protections enabled.
6. User Awareness Training: We provide education on recognizing malvertising threats and avoiding suspicious websites and downloads.
7. Incident Response Planning: Should an infection occur, our incident response team is ready to contain, eradicate, and recover from the threat while minimizing business impact.

Don’t wait until your organization becomes part of the statistics. Contact CinchOps today to strengthen your security posture against sophisticated multi-stage attacks like the GitHub-hosted malware campaign.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

 

FREE SECURITY ASSESSMENT