Key Takeaways:
- Microsoft discovered a large-scale cyberattack that infected over one million devices worldwide.
- Attackers used malicious ads to redirect users to GitHub-hosted payloads.
- Microsoft took down several malicious repositories.
Microsoft has discovered a widespread malvertising campaign that compromised over one million devices worldwide. The attack exploits illegal streaming sites, using malicious ads to lure users into downloading harmful malware.
Microsoft’s Threat Intelligence team first uncovered this malvertising campaign in December 2024. The attack begins on illegal streaming sites where users watch pirated content. Cybercriminals inject malicious ads into these videos, tricking viewers into visiting harmful GitHub repositories under their control.
“The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms,” Microsoft explained. “These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub.”
How does the malvertising campaign work?
GitHub hosted the first-stage payload, which installed code to launch two additional payloads. The first payload collected system details such as the operating system, screen resolution, memory size, graphics capabilities, and user paths. This data was then sent to an attacker-controlled server before triggering the second-stage payload.
The third-stage payload varies based on the compromised device. In some cases, it installs a NetSupport remote access trojan (RAT) to maintain control over the system. It also deploys the Lumma information stealer and the open-source Doenerium infostealer to steal login credentials, banking details, cryptocurrency data, and other sensitive information.
In some cases, the malware downloads an executable file that runs a CMD script and drops a disguised AutoIt interpreter with a .com extension. AutoIt then executes a series of steps to extract additional data from the infected system. While most of these malicious payloads were hosted on GitHub, some were also found on Discord and Dropbox.
How can organizations strengthen security?
Microsoft recommends that organizations reduce this threat’s impact by strengthening Microsoft Defender for Endpoint and operating system environment configurations. Moreover, Microsoft Security Copilot standalone experience also helps security experts automate incident response within their organization.
Furthermore, Microsoft has detailed some hunting queries to find related activity within their network. The company has also provided several indicators of compromise and other valuable information to help security teams detect and block similar attacks.