Briefly: If you are going to go to web sites that host pirated video streams, you’d higher be prepared to simply accept the dangers. That is one thing homeowners of the a million gadgets affected by a malware marketing campaign originating from these websites won’t have thought of.
Microsoft writes that its risk evaluation group detected a large-scale malvertising marketing campaign that impacted almost a million gadgets globally in December 2024.
The corporate traced the assault again to 2 unlawful streaming web sites – movies7 and 0123movie – embedded with malvertising redirectors. Attackers injected the advertisements into movies the websites hosted. These generated pay-per-view or pay-per-click income from malvertising platforms and subsequently routed visitors by way of one or two further malicious redirectors.
Victims have been ultimately led to a different web site, similar to tech assist rip-off web site, which then redirected to GitHub.
The GitHub repositories, which have since been taken down, saved malware used to deploy further malicious information and scripts. As soon as somebody had downloaded the malware, it was used to gather system info and deploy second-stage payloads to exfiltrate paperwork and information.
A 3rd-stage PowerShell script payload then downloaded the NetSupport distant entry trojan (RAT) from a command-and-control server and set persistence within the registry. The RAT may ship the Lumma info stealer malware or an up to date model of the Doenerium infostealer.
The malware additionally allowed attackers to spy a on victims’ searching exercise and even work together with an energetic browser, together with Firefox, Chrome, and Edge.
The primary-stage payloads have been digitally signed with a newly created certificates and included some reliable information to cover their true nature. A complete of twelve totally different certificates have been recognized, all of which have been later revoked.
Whereas GitHub was the first platform used within the supply of those payloads, Microsoft additionally discovered one payload hosted on Discord and one other on Dropbox. As with GitHub, the pages that hosted the malware on these platforms have been eliminated.
Microsoft writes that the marketing campaign was indiscriminate in nature, impacting each client and enterprise gadgets. It additionally notes that Home windows’ Microsoft Defender software program is ready to detect and flag the malware used within the assault.
