A massive malvertising campaign by Storm-0408 has compromised nearly one million devices worldwide by leveraging illegal streaming websites to distribute malware. Users visiting these sites were unknowingly redirected through multiple layers of malicious websites before landing on repositories hosted on GitHub, where the initial malware payload was stored.
Microsoft’s analysis revealed that the attack method involved embedding malvertising redirectors within movie frames on illegal streaming platforms. These redirectors them to GitHub repositories hosting the initial malware payload.
Once executed, the malware deployed a multi-stage attack, collecting system data, executing remote monitoring tools, and stealing sensitive information. The campaign targeted both consumers and enterprises across various industries.
“Since at least early December 2024, multiple hosts downloaded first-stage payloads from malicious GitHub repositories. The users were redirected to GitHub through a series of other redirections. Analysis of the redirector chain determined the attack likely originated from illegal streaming websites where users can watch pirated videos,” researchers said.
The first-stage payload, hosted on GitHub, functioned as a dropper, enabling the delivery of additional malware. The second-stage payload conducted system discovery, gathering hardware and operating system data, encoding it in Base64, and transmitting it to a command-and-control server.
The third-stage payload introduced more malicious capabilities, including executing PowerShell scripts, deploying remote monitoring tools like NetSupport RAT, and extracting data. The fourth-stage payload further entrenched itself within the system through advanced persistence mechanisms, modifying the registry and stealing browser credentials.
“Various third-stage payloads were deployed depending on the second-stage payload. In general, the third-stage payload conducted additional malicious activities such as command and control (C2) to download additional files and to exfiltrate data, as well as defence evasion techniques,” researchers explained.
Although GitHub’s security team removed the malicious repositories, additional payloads surfaced on Discord and Dropbox.
Storm-0408 utilised living-off-the-land binaries (LOLABS), repurposing legitimate executables such as PowerShell.exe, MSBuild.exe, and RegAsm.exe to execute commands and exfiltrate data. The malware allowed attackers to monitor and extract sensitive user information by exploiting remote debugging features in Chrome and Edge.
To ensure long-term persistence, the attackers modified the Windows registry and manipulated startup folder settings, enabling the malware to execute upon reboot.
Researchers have urged users to block known GitHub repositories and associated domains to help reduce exposure. Additionally, monitoring system activity for unauthorised PowerShell executions and LOLABS activity is crucial for identifying potential infections. Furthermore, strengthening endpoint security with advanced threat detection tools can further mitigate the threat.
In the News: Apple ordered to open iOS to third-party app stores in Brazil
