Microsoft says malvertising campaign impacted 1 million PCs

​Microsoft has taken down an undisclosed number of GitHub repositories used in a massive malvertising campaign that impacted almost one million devices worldwide.

The company’s threat analysts detected these attacks in early December 2024 after observing multiple devices downloading malware from GitHub repos, malware that was later used to deploy a string of various other payloads on compromised systems.

After analyzing the campaign, they discovered that the attackers injected ads into videos on illegal pirated streaming websites that redirect potential victims to malicious GitHub repositories under their control.

“The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms,” Microsoft explained today. “These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub.”

The malvertising videos redirected users to the GitHub repos that infected them with malware designed to perform system discovery, collect detailed system info (e.g., memory size, graphic details, screen resolution, operating system (OS), and user paths), and exfiltrate the harvested data while deploying additional stage-two payloads.

A third-stage PowerShell script payload then downloads the NetSupport remote access trojan (RAT) from a command-and-control server and establishes persistence in the registry for the RAT. Once executed, the malware can also deploy the Lumma information stealer malware and the open-source Doenerium infostealer to exfiltrate user data and browser credentials.

​On the other hand, if the third-stage payload is an executable file, it creates and runs a CMD file while dropping a renamed AutoIt interpreter with a .com extension. This AutoIt component then launches the binary and may drop another version of the AutoIt interpreter with a .scr extension. A JavaScript file is also deployed to help execute and gain persistence for .scr files.

In the last stage of the attack, the AutoIt payloads use RegAsm or PowerShell to open files, enable remote browser debugging, and exfiltrate additional information. In some cases, PowerShell is also used to configure exclusion paths for Windows Defender or to drop more NetSupport payloads.

While GitHub was the primary platform to host payloads delivered during the campaign’s first stage, Microsoft Threat Intelligence also observed payloads hosted on Dropbox and Discord.

“This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads,” Microsoft said.

“The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.”

Microsoft’s report provides additional and more detailed information regarding the various stages of the attacks and the payloads used across the multi-stage attack chain of this complex malvertising campaign.