Malvertising Attack Infects 1 Million Devices: Microsoft

A widespread malvertising campaign targeting users of illegal streaming sites has infected nearly 1 million devices with information-stealing malware, according to Microsoft’s Threat Intelligence team. The campaign, tracked as Storm-0408, exploited pirated video platforms to deliver malicious payloads via GitHub, Discord, and Dropbox, affecting both consumer and enterprise devices across multiple industries.

Microsoft researchers say that “these redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub.” This multi-step process highlights the sophistication of the campaign and its ability to evade detection while delivering multiple stages of malware.

Malvertising, or malicious advertising, has become an increasingly prevalent threat in the cybersecurity landscape. By embedding malicious code into legitimate-looking ads or website elements, threat actors can redirect users to harmful sites or deploy malware without their knowledge. In this case, the attackers exploited illegal streaming platforms, which often lack robust security measures, to embed malvertising redirectors directly into video frames. These redirectors then funneled users through a series of malicious sites before delivering payloads hosted on trusted platforms like GitHub, Discord, and Dropbox.

The campaign’s reliance on legitimate services such as GitHub underscores a growing trend among cybercriminals to abuse trusted platforms for hosting malicious content. This tactic not only complicates detection but also leverages the reputation of these services to bypass security measures. Microsoft’s report highlights the evolving nature of cyberthreats, where attackers increasingly use living-off-the-land techniques — leveraging existing system tools like PowerShell and MSBuild — to execute commands and exfiltrate data.

The Storm-0408 campaign employed a multi-stage attack chain to maximize its impact. The initial payload, hosted on GitHub, acted as a dropper that established a foothold in the victim’s system. This dropper then deployed additional payloads designed to gather and exfiltrate sensitive information, including system details such as memory size, GPU specifications, screen resolution, and user paths. The data was encoded in Base64 and transmitted via HTTP to an attacker-controlled IP address.

The second-stage payloads varied depending on the target but often included infostealers like Lumma Stealer or an updated version of Doenerium. In some cases, attackers deployed NetSupport, a legitimate remote monitoring and management tool, alongside the infostealers to maintain persistence and control over compromised systems. The malware also executed scripts in PowerShell, JavaScript, VBScript, and AutoIT to further its objectives, including command-and-control (C2) operations and data exfiltration.

To ensure persistence, the attackers modified registry run keys and added shortcut files to the Windows Startup folder. This allowed the malware to remain active even after system reboots. The campaign’s use of living-off-the-land techniques, such as leveraging built-in system tools, further complicated detection and mitigation efforts.

Malvertising has become a persistent threat, reads Microsoft’s report. Earlier this year, Malwarebytes uncovered a fake ad campaign on Google designed to steal account credentials and two-factor authentication codes. Similarly, cybersecurity firm Enzoic noted in a recent report that malvertising remains a significant challenge, particularly as ads become more integrated into web applications and services. Enzoic’s threat research team warns: “As it becomes harder to distinguish what is an ad and what is not, it becomes easier for threat actors to snare unsuspecting visitors.”

The quality of malicious ads has also improved, making it increasingly difficult for users to differentiate between legitimate and fraudulent content. Avast, a leading device security firm, reported a surge in malvertising on platforms like YouTube in early 2024, noting that the sophistication of these ads has grown significantly.

Microsoft Research says that organizations and individuals alike must remain vigilant, particularly when accessing high-risk platforms such as illegal streaming sites. Microsoft has since taken down the malicious repositories on GitHub, but the incident underscores the need for continuous monitoring and collaboration between cybersecurity firms and platform providers to mitigate such threats.