- The first-stage payload hosted on GitHub serves as the dropper for the next-stage payloads.
- Second-stage files are used to conduct system discovery and exfiltrate system information that was Base64-encoded into the URL and sent over HTTP to an IP address. The data collected included information on the device’s memory size, graphic details, screen resolution, operating system, and user paths.
- Various third-stage payloads are deployed depending on the second-stage payload. For the most part, the third-stage payload conducts additional malicious activities, such as command and control (C2) to download additional files and exfiltrate data.
In this case, users go to “illegal” web sites, nominally to “steal” software, movies, and books, rather than obtain them legally, explained Chris Gray, Field CTO at Deepwatch. Gray pointed out that by their very nature, these sites are laden with malware. “By visiting these locations, the users are inviting issues that may or may not be defensible using current system settings, supporting software, and/or business processes,” said Gray.Gray said security teams must take a multi-armed approach that includes: effective system hardening, applicable role-based access controls, use of supporting security applications, corporate zero-trust foundational practices, user training, and use of centralized browsing controls through the corporate gateway.This attack reflects the growing sophistication of credential-focused threats and the importance of securing privileged access, said Patrick Tiquet, vice president of security and architecture at Keeper Security.By using malvertising to trick users into downloading malware from GitHub, Tiquet said attackers initiate a multi-stage compromise that includes system reconnaissance, persistence mechanisms and the deployment of infostealers and remote access trojans.“Once inside a system, they can steal credentials, escalate privileges and move laterally to compromise additional accounts and systems,” said Tiquet.Ira Winkler, chief information security officer at CYE, added that this attack relies on people going to pirate websites, which they shouldn’t do in the first place. Winkler said the issue then becomes why is there no web content filter to block people from going to such websites?“Then it comes down to why our individual users are allowed to download and install any type of software?” said Winkler. “In both cases, if companies would implement good security practices, which does include blocking, malicious and illegal websites, as well as not allowing all users to download and install software, these attacks would be proactively prevented. On people’s personal systems, that’s clearly different, but again good cyber hygiene practices should include limiting websites people can visit as well as ensuring any user cannot download software.”
