A sophisticated malvertising campaign has emerged, exploiting GitHub repositories through dangling commits to distribute malware via fake GitHub Desktop clients.
This novel attack vector represents a significant evolution in cybercriminal tactics, leveraging the trust and legitimacy associated with GitHub’s platform to deceive unsuspecting users into downloading malicious software.
The campaign operates by promoting compromised GitHub repositories containing dangling commits that serve as delivery mechanisms for malware payloads.
When users search for GitHub Desktop through compromised advertisements, they are redirected to malicious repositories that appear legitimate but contain hidden malware embedded within the repository structure.
The attack leverages users’ familiarity with GitHub’s interface and their trust in the platform’s security.
Upon successful infection, the malware establishes persistence on victim systems while maintaining covert communication channels with command and control servers.
.webp "New Malvertising Campaign Leverages GitHub Repository to Deliver Malware 3")
Unit 42 researchers identified this campaign through behavioral analysis of suspicious GitHub repository activities and anomalous download patterns associated with fake GitHub Desktop installers.
Advanced Infection Mechanism and Payload Execution
The malware employs a sophisticated multi-stage infection process that begins when users download what appears to be a legitimate GitHub Desktop installer.
The initial payload performs comprehensive system discovery, collecting detailed information about the infected machine including operating system details, installed software, and network configurations.
This reconnaissance data is immediately exfiltrated to attacker-controlled servers before proceeding to the next infection stage.
The campaign demonstrates particular sophistication in its use of conditional payload deployment based on system characteristics.
PowerShell-based payloads download NetSupport Remote Access Trojan from command and control infrastructure, while executable variants deploy AutoIT interpreters with COM file extensions to evade detection.
The malware establishes registry-based persistence mechanisms and utilizes legitimate system utilities like MSBuild.exe and RegAsm.exe for data exfiltration, effectively blending malicious activities with normal system operations.
Detection evasion techniques include enabling browser remote debugging capabilities, setting Windows Defender exclusion paths, and leveraging trusted system processes for payload execution, making traditional security solutions less effective against this sophisticated threat.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
