In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that affected nearly one million devices globally. The attack exploited illegal streaming websites and employed a multi-stage payload delivery system using platforms like GitHub, Discord, and Dropbox to deliver malware aimed at information theft. The campaign reflects the pervasive and indiscriminate nature of cyber threats, impacting a diverse range of organizations and sectors. Affected: devices, organizations, GitHub, Discord, Dropbox
Keypoints :
- Microsoft detected a malvertising campaign affecting approximately one million devices worldwide.
- The attack originated from illegal streaming websites embedded with malicious advertisements.
- Malware was delivered through GitHub, Dropbox, and Discord.
- The attack included multiple stages with varied payloads aimed at gathering information.
- Microsoft identified the activity as part of a broader pattern tracked under the name Storm-0408.
- Recommendations were provided to help organizations mitigate the threat.
MITRE Techniques :
- T1071.001 β Application Layer Protocol: The malware used HTTP for command and control communications to exfiltrate data.
- T1070.004 β Indicator Removal on Host: The malware modified the registry run keys for persistence.
- T1040 β Network Sniffing: The attackers used various tools to gather sensitive information from network traffic.
- T1082 β System Information Discovery: The malware collected system information like operating system details and screen resolution.
- T1057 β Process Discovery: The malware assessed running processes to identify security software for evasion.
Indicator of Compromise :
- [Domain] movies7[.]net
- [Domain] 0123movie[.]art
- [URL] hxxps://github[.]com/kloserw
- [URL] hxxps://cdn.discordapp[.]com/attachments/1316109420995809283/1316112071376769165/NativeApp_G4QLIQRa.exe
- [IP Address] 192.142.10.246