Microsoft Threat Intelligence detected a large-scale malvertising campaign in early December 2024 that infected nearly one million devices globally in an opportunistic attack designed to steal information.
The campaign impacted a wide range of organizations and industries, affecting both consumer and enterprise devices, highlighting the indiscriminate nature of the threat.
Microsoft is tracking this activity under the umbrella name Storm-0408, which they use to identify threat actors associated with remote access or information-stealing malware.
The attack originated from illegal streaming websites where users typically access pirated videos.
These websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue.
.webp)
Code from streaming video websites contained iframes with malvertising redirector URLs. Users visiting these sites were unknowingly redirected through a chain of four to five layers of redirections, ultimately leading to malicious content hosted on GitHub.
While GitHub was the primary platform used in delivering the initial access payloads, Microsoft also observed some payloads hosted on Discord and Dropbox.
.webp)
The GitHub repositories, which have since been taken down through collaboration with GitHub’s security team, stored malware used to deploy additional malicious files and scripts on victims’ devices.
The infection process followed a sophisticated multi-stage approach.
.webp)
Once the redirection to GitHub occurred, the malware established an initial foothold on the user’s device and functioned as a dropper for additional payload stages.
The first-stage payload dropped onto the victim’s device from GitHub, establishing a foothold and often dropping legitimate-looking files to leverage their functionality.
Attack Chain
The second-stage payload conducted system discovery and collected data including memory size, graphic card details, screen resolution, operating system information, and user paths.
This information was Base64-encoded and exfiltrated as a query parameter to command and control servers. The typical URL format observed was: “http:///login.php?event=init&id=&data=”.
In the third stage, depending on the second-stage payload, either one or multiple executables were dropped, sometimes with accompanying encoded PowerShell scripts.
These files initiated command execution, payload delivery, defensive evasion, persistence establishment, and data exfiltration. One notable PowerShell script used the Add-MpPreference cmdlet to modify Microsoft Defender settings:-
Add-MpPreference -ExclusionPath 'C:Users\AppDataLocalTemp'
Add-MpPreference -ExclusionPath 'C:Users\AppDataRoaming'
Add-MpPreference -ExclusionPath 'C:ProgramData'The final stages deployed information stealers including Lumma stealer and Doenerium to collect browser credentials and other sensitive data.
Additionally, NetSupport, a remote monitoring and management software, was often deployed alongside the information stealers.
The attackers accessed sensitive browser data files including cookies, login data, and web form information from Firefox, Chrome, and Edge browsers.
Microsoft has published detailed detection guidance and hunting queries to help organizations identify and mitigate this threat.
Researchers recommend strengthening Microsoft Defender configurations, implementing multi-factor authentication, and enabling various protective measures to prevent similar attacks in the future.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
