- Microsoft says it discovered a major malvertising campaign
- The goal was to deploy infostealers as wide as possible
- The company removed an undisclosed number of GitHub repositories in response
More than a million PCs have been infected by infostealers through a massive malvertising campaign, new research from Microsoft’s security researchers has revealed.
The campaign starts on illegal streaming sites where people can watch pirated content. Apparently, cybercriminals injected ads into those videos, which sent visitors through a roller coaster of redirects, before landing on one of many GitHub repositories under the attackers’ control.
There, they would download the first payload which would run system discovery and collect system information (operating system data, screen resolution, memory size, etc.), exfiltrate it to a server under the attackers’ control, while deploying the second-stage payload.
Infostealers in action
The second-stage payload depends on the compromised device. In some cases, it will be a NetSupport remote access trojan (RAT), followed by the Lumma Stealer or Doenerium infostealer. This malware can grab people’s login credentials, cryptocurrency information, banking details, and more. In other cases, the malware will download an executable file which runs a CMD and drops a renamed AutoIt interpreter with a .com extension.
AutoIt then runs a few additional steps which ultimately lead to the same outcome - the exfiltration of sensitive files from the target system.
In most cases, the payloads were hosted on GitHub, and Microsoft said it took down an undisclosed number of repositories. However, malware was also hosted on Dropbox and Discord. It did not attribute the campaign to any particular threat actor, and said that the victims were found in a wide range of industries.
"This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads," Microsoft said.
"The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack."
Via BleepingComputer
You might also like
- Hundreds of GitHub repositories hijacked to trick users into downloading malware
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
