We are increasingly exposed to phising techniques and more sophisticated methods for injecting malware into users’ computers. Although we must be careful on certain websites and not be fooled when checking our email or SMS, there may always be times when we fall into the trap. Hence the importance of always using different and elaborate passwords and activating two-factor authentication mechanisms, among other recommendations such as browsing with a VPN.
Among the latest cases of cybercrime is one detected by the Microsoft Threat Intelligence team, which identified a sophisticated malvertising campaign that used GitHub repositories to distribute malicious software. This operation, which took place at the end of last year, affected nearly a million devices, exposing them to information theft.
A sophisticated multi-level compound attack
The campaign began on unauthorised movie and TV show sharing websites, where malicious ads with hidden redirects were inserted. These ads generated revenue per view or click through deceptive advertising platforms. However, their main goal was not only financial gain, but also redirecting victims to dangerous domains.
Affected users were sent through a chain of redirects, passing through one or two malicious intermediaries before reaching a final website. At this final stage, the page would redirect the user back to a GitHub repository containing the initial attack code.
Once on GitHub, the victim unintentionally downloaded a first payload, which executed code designed to deploy two additional payloads. The first of these payloads collected information about the infected system, including data about RAM, graphics capabilities, screen resolution, operating system, and user paths.
The third level of infection varied depending on the compromised device, but typically included malicious activities such as communicating with command-and-control (C2) servers. This connection allowed attackers to download more dangerous files, extract system information, and apply techniques to evade security mechanisms.
One of the main objectives of the campaign was to steal credentials stored in web browsers. To do so, the attackers designed a multi-layered redirection system (between four and five levels) that allowed the malicious code to be progressively deployed, ensuring the persistence of the attack on compromised devices.
Microsoft has confirmed that the malicious repositories used on GitHub have now been removed. Additionally, the company has provided a detailed report on the level of compromised devices and other relevant data to help detect and mitigate similar threats in the future.