Microsoft Admits GitHub Hosted Malware That Infected Almost a Million Devices

Microsoft has spotted a malvertising campaign that downloaded nastyware hosted on GitHub and exposed nearly a million devices to information thieves. From a report: Discovered by Microsoft Threat Intelligence late last year, the campaign saw pirate vid-streaming websites embed malvertising redirectors to generate pay-per-view or pay-per-click revenue from malvertising platforms. "These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub" according to Microsoft's threat research team.

GitHub hosted a first-stage payload that installed code that dropped two other payloads. One gathered system configuration info such as data on memory size, graphics capabilities, screen resolution, the operating system present, and user paths. Third-stage payloads varied but most "conducted additional malicious activities such as command and control (C2) to download additional files and to exfiltrate data, as well as defense evasion techniques."

Microsoft enables malware...

[gweihir]

What else is new? I fail to see how this is even news. Well, maybe it is news that they actually noticed something, quite unlike other cases: https://www.cisa.gov/sites/def... [cisa.gov]

Re:

[Vlad_the_Inhaler]

It was someone working for Microsoft who discovered the ssh backdoor [arstechnica.com] at an early stage. The more I read about that attack, he did really good work.

Hard to avoid

[Improv]

If you have a site as big as Github, you could have a team of top-notch people looking over usage patterns and still you probably wouldn't spot all the usage patterns.

Re:

[drinkypoo]

Microsoft loves to tell us about how their AI is going to transform everything, why didn't it catch this? ;)

I hate posting pro-MS... but...

[ctilsie242]

I generally am not posting pro MS, but I don't get why it is their responsibility to catch malware immediately. Why should a hosting provider have a responsibility to scan and vet everyone's stuff? MS has done a solid job in general ensuring a clean environment, but statistically, something gets through.

Only thing I can think of is having tiers of repositories and levels of vetting, where a repository can be considered vetted by MS after some paperwork... but even then, all it takes is a compromise of a r

Re:I hate posting pro-MS... but...

[J. L. Tympanum]

"MS has done a solid job in general ensuring a clean environment"

Are you nuts? The reason we are drowning in malware is precisely because MS created a computing platform that malware, in all its variations, could feast on.

Re:

[ctilsie242]

The OS, yes. However, GitHub is a decent environment. The same could have happened with a public BitBucket, Gitea, GOGS, or GitLab cloud server.

Now, other MS stuff, I can agree with the parent, but GitHub is one of the few MS products that has decent support.

Re:

[J. L. Tympanum]

To the extent that is true, it is because MS did not build GitHub. They acquired it long after it was an established platform.

Re:

[Kernel Kurtz]

The same could have happened with a public BitBucket, Gitea, GOGS, or GitLab cloud server.

Watching a video (or an advertisement) should not be able to install anything on your machine. Yes, there are vulnerabilities in videos codecs and browsers that have allowed for this in the past, but I'm not seeing any mention of a CVE number in this story so I'm assuming these people who have been infected are clicking through on ads on the pirate streaming sites. For obvious reasons this is a very bad idea, but that is hardly MS or Github's fault.

Re:

[jmccue]

No mods, but I agree with you. Also the headline meant something else to me. I thought it meant some repos were infected as opposed to someone hosting malware on github. So, someone hosts malware in github, plus I can say the sky is blue when not cloudy and the sun will not go nova tomorrow. News at 11.