Microsoft has uncovered a large-scale malvertising campaign that has affected over 1 million devices worldwide. In a blog post detailing its findings, Microsoft revealed that threat actors used platforms such as Dropbox, Discord, and Github to broadcast malware. The attacks, which were aimed at stealing sensitive information, were discovered early last December. These attacks came from illegal streaming sites that contained malicious ads and pop-ups. When people visit these sites, they are secretly redirected to other platforms, especially Github.
The sophistication of these cyber attacks lies in using multiple malwares deployed in several stages. Microsoft explained that in the first stage, users are directed to Github, where their device is compromised by malware that helps hackers gain control.
In the second stage, the malware gathers information about the compromised computer, such as the memory size, the type of graphics card, and the operating system it is running. Thereafter, it drops additional payloads on the system. The type of payload dropped at this stage will determine what happens in the third phase. In the third stage, the payload released could be “executables” or a “power shell script.” If a power shell script is released, it will ensure that a NetSupport remote access trojan (RAT) runs every time Windows is turned on. The malware can then install a Lumma payload to steal user data and browser passwords.
However, if an executable(exe) is released, it generates and executes a CMD file, after which it drops a renamed AutoIt interpreter with a .com extension. After some sophisticated processes are carried out, a javascript code is used to ensure the persistence of .scr files.
In the concluding phase, the Autofit malware uses RegAsm or Powershell to open files, control browsers remotely, and steal more data from the device. At times, Power Shell can also tell Defender to overlook certain files and install more NetSupport payloads.
What if a streaming service is designed for malvertising campaigns? Some signs will let you identify a threat. Be on the lookout for malicious iframes; you can identify this through sudden redirects, pop-ups, and excessive advertisements. Other indicators of a compromised website can be identified by inspecting the URL. If you find characters like widiaoexhe[.]top or movies7[.]net, it is more likely to be a malware trap. Microsoft has published a list of signs to identify malicious domains.
If you are concerned about protecting your device from these attacks, you should avoid the initial source – illegal streaming websites. While these services are free, they redirect to malicious websites. Microsoft recommends that users strengthen their Microsoft Defender for Endpoint configuration; details of how to do this are explained in its guide. Despite its limitations, Microsoft security experts also recommend multiple-factor authentication.