According to Microsoft, a malvertising campaign has affected almost a million devices by diverting users to information-stealing software housed on GitHub.
The campaign, which was ascribed to a threat actor known as Storm-0408, targeted users of illicit streaming services. Malvertising redirectors took them to an intermediate domain before landing them on the code hosting platform controlled by Microsoft.
According to Microsoft, the opportunistic assaults affected “a wide range of organizations and industries, including both consumer and enterprise devices.” They mostly used GitHub to house malware, but they also affected Dropbox and Discord.
The first-stage payload, which was hosted on GitHub and functioned as a dropper, the second-stage files, which were used for system discovery and information theft, and the third-stage payloads, which were used for further malicious actions, comprised the multi-layer infection chain seen in these attacks.
After being placed on a victim’s device, the malware from GitHub repositories would download and run more files and scripts in order to obtain more system data, become persistent, run commands, and steal information from compromised computers.
Microsoft specifically discovered that victims’ systems were running an upgraded version of Doenerium and Lumma stealer, as well as other PowerShell, JavaScript, VBScript, and AutoIT scripts, and the NetSupport remote monitoring and management (RMM) program.
The threat actors used scripts and living-off-the-land programs like PowerShell, MSBuild, and RegAsm for command-and-control (C&C) operations and data and browser credential exfiltration. The attackers inserted a shortcut file to the Startup folder and changed registry run keys for persistence.
Microsoft claims that the campaign’s first-stage payloads were digitally signed. Twelve distinct certificates that were used in the attacks were found and revoked by Microsoft.
The IT giant has urged users and businesses to make sure their systems are adequately safeguarded against such attacks by providing technical details on the malicious files and scripts that were discovered, along with indications of compromise (IoCs).
