Microsoft Disrupts Huge Malvertising Campaign

Microsoft has disrupted a large-scale malvertising campaign that the company said affected more than a million devices over the last few months. The campaign employed a multi-stage attack and infection chain that used multiple redirections, beginning with malicious ads on illegal streaming sites and also used GitHub repositories for payload delivery. 

Why It Matters: Malvertising is a well-known and time-worn tactic used by cybercriminals to deliver malware to victims. These campaigns often involve the use of networks of compromised legitimate sites or malicious sites that display the malicious ads. In this case, which Microsoft researchers attribute to a group it calls Storm-0408, the the threat actors used malicious ads that were embedded in videos on illegal streaming sites to redirect victims through a series of other hops that eventually led them to one of the GitHub repositories hosting an initial payload. After several other stages of downloads and droppers, the victims’ machines were eventually infected with a payload that stole data and took other malicious actions. 

Key Details

• Microsoft detected the campaign in December 2024 and said that it affected more than a million devices worldwide, both enterprise and consumer devices

• The campaign used four separate stages during the attack chain, beginning with the malware stored in the GutHub repositories. “The GitHub repositories, which were taken down, stored malware used to deploy additional malicious files and scripts. Once the initial malware from GitHub gained a foothold on the device, the additional files deployed had a modular and multi-stage approach to payload delivery, execution, and persistence,” the Microsoft report says. 

• From there, the subsequent stages were loaded and each one served a different purpose. “Actions conducted across these stages include system discovery (memory, GPU, OS, signed-in users, and others), opening browser credential files, Data Protection API (DPAPI) crypt data calls, and other functions such as obfuscated script execution and named pipe creations to conduct data exfiltration. Persistence was achieved through modification of the registry run keys and the addition of a shortcut file to the Windows Startup folder,” the report says. 

• The third stage of the malware chain looks for running security software apps such as antimalware and EDR

These kinds of campaigns are relatively common, but malvertising infections on this scale are unusual. Microsoft worked with the GitHub security team to take down the repositories that were hosting the malware.