In a recent alert, Microsoft revealed a large-scale malvertising campaign that has compromised nearly one million devices worldwide.
This campaign, which began in early December 2024, leverages malicious redirects from illegal streaming websites to deliver malware hosted on platforms like GitHub.
The attack is notable for its indiscriminate targeting, affecting both consumer and enterprise devices across various industries.
.png
)
Malvertising Campaign Details
The campaign starts with malvertising redirectors embedded in iframes on pirated video streaming sites.
These redirectors lead users through multiple layers of malicious websites before ultimately landing on GitHub, where the initial malware payloads are hosted.
The malware, often disguised as legitimate files, establishes a foothold on the device and acts as a dropper for subsequent payloads.
These additional payloads include information stealers like Lumma and Doenerium, which collect system and browser data.
In some cases, the NetSupport remote monitoring and management (RMM) software is also deployed, allowing for further control over compromised devices.
The attack chain involves multiple stages, each designed to evade detection and persist on the system.
The malware uses living-off-the-land binaries (LOLBAS) such as PowerShell and AutoIT to execute malicious scripts, exfiltrate data, and establish command and control (C2) communications.
The use of legitimate tools like RegAsm.exe and MSBuild.exe for malicious purposes complicates detection efforts.
The attackers also employ techniques like registry modification and scheduled task creation to ensure persistence.
Mitigation and Response
Microsoft recommends several measures to mitigate this threat.
Users should enable tamper protection and network protection in Microsoft Defender for Endpoint and ensure that endpoint detection and response (EDR) is running in block mode.
Additionally, implementing multifactor authentication (MFA) and using phishing-resistant authentication methods can help prevent similar attacks.
Microsoft also advises users to avoid illegal streaming sites and to be cautious of suspicious redirects.
The GitHub security team collaborated with Microsoft to take down the malicious repositories involved in the campaign.
Microsoft’s security tools, including Microsoft Defender XDR, can detect and respond to this threat by identifying suspicious activity and blocking malicious artifacts.
Users are encouraged to stay vigilant and implement robust security measures to protect against evolving threats.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
