Microsoft Threat Intelligence recently unveiled a sophisticated malvertising campaign that exploited popular platforms like GitHub, Discord, and Dropbox, affecting nearly one million devices globally. The campaign, dubbed Storm-0408, was discovered in December 2024 and targeted Windows systems across various browsers, impacting both individual users and large organizations.
The attackers behind the campaign initiated the attack from illegal streaming websites, where they embedded malicious advertisements to generate revenue through pay-per-view or pay-per-click schemes. These ads redirected users to intermediary websites, eventually leading them to malicious GitHub repositories hosting the initial malware payloads.
The multi-stage attack chain involved the deployment of obfuscated JavaScript files on GitHub, serving as a launchpad for additional malware and scripts. These initial payloads established a foothold on compromised devices, enabling the deployment of subsequent payloads aimed at collecting system information and exfiltrating sensitive data.
The attack chain comprised several stages, each with specific objectives. The first-stage payloads acted as droppers for second-stage files used for system discovery and information collection, which were then exfiltrated to a command-and-control server. Depending on the payload, third-stage payloads were deployed to conduct activities like C2 communication, data exfiltration, and defense evasion using LOLBAS techniques to blend in with normal system activity.
The attackers employed a modular approach, dropping multiple payloads with distinct functions such as system discovery, credential theft, and data exfiltration. Persistence was achieved through registry modifications and the creation of shortcut files in the Windows Startup folder. Microsoft’s collaboration with GitHub to dismantle the malicious repositories underscores the importance of industry cooperation in combating cyber threats.
In response to the threat, Microsoft has issued detailed mitigation recommendations, including strengthening Microsoft Defender for Endpoint configurations, enhancing operating environment security, and implementing multi-factor authentication. Ensar Seker, Chief Security Officer at SOCRadar, pointed out that the attackers utilized geofencing, device fingerprinting, and cloaking techniques to evade detection, delivering the malicious payload only to targeted users and making it challenging for security solutions to track and mitigate the campaign.
Seker noted that the malvertising campaign is likely part of a broader Malware as a Service ecosystem, with attackers using pre-built kits to distribute payloads like stealers, ransomware, and banking trojans. While malvertising traditionally targeted Windows users, the rise of macOS and Linux among professionals is expected to lead to an increase in cross-platform payloads. This highlights the evolving landscape of cyber threats and the importance of proactive security measures to protect against such sophisticated attacks.