Microsoft has announced the discovery of a significant malvertising campaign that has infected more than a million computers with infostealers.
The campaign began on illegal streaming websites, where malicious actors injected ads into video content. These ads redirected users through a series of steps, eventually leading them to GitHub repositories controlled by the attackers.
Once directed to these repositories, users would unknowingly download the initial payload. This payload collected system information such as operating system data and screen resolution and sent it to a server controlled by the attackers, while simultaneously deploying the second-stage payload.
The second-stage payload varied depending on the infected device. Some installations involved the NetSupport remote access trojan (RAT), followed by the Lumma Stealer or Doenerium infostealer. These infostealers are capable of stealing login credentials, cryptocurrency information, banking details, and other sensitive data.
In other instances, the malware downloaded an executable file that ran a CMD and dropped a renamed AutoIt interpreter with a .com extension. This interpreter then executed steps that also resulted in the exfiltration of sensitive files.
Microsoft took down an undisclosed number of GitHub repositories hosting the payloads, but the malware was also found on Dropbox and Discord. The company stated that the campaign targeted a wide range of industries without attributing the activity to a specific threat actor.
“This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads,” Microsoft reported.
“The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.”
BleepingComputer served as the source for this information.
