Illegal streaming site users risk being infected with dangerous malware and losing all their data, crypto, and accounts, the Microsoft Threat Intelligence team warns. While pirates watch videos, a chain of events unfolds behind the scenes, leading to info stealers being downloaded from GitHub, Discord, or Dropbox.
A large-scale malicious advertising (malvertising) campaign started in early December 2024 and has already impacted around a million devices worldwide, including those belonging to large enterprises.
Hackers scrambled a clever and not-too-complicated redirection chain scheme that appears to be highly effective. However, the discovered infrastructure contains dozens of malicious websites, and as many malicious payloads. At least 8 IP addresses served as command and control servers.
First, the threat actor, labeled Storm-0408, places malicious ads on illicit streaming platforms.
The ads are embedded within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms. Ads hide within an iframe on illegal streaming websites, and pirates without an ad blocker can’t avoid them.
The malicious ads contain redirectors routing traffic through a few hops to GitHub. This code-sharing platform is the primary platform for delivering initial access payloads. However, hackers are also using Discord, Dropbox, and potentially other legitimate platforms.
Users are lured to download malware via scam websites, such as tech support, free and pirated content, adult content, clickbait, or seemingly legitimate services.
Once the victim runs the malware, it acts as a dropper, launching several different stages of attacks against the system. A dozen different first-stage payloads were discovered, each digitally signed with a newly created certificate to make the malware look legitimate. The discovered certificates have now been revoked.
In the subsequent stages, the malware first downloads payloads tailored for system discovery, data collection, and exfiltration.
Then, depending on the collected data, the malware will launch various third stages while communicating with the command and control (C2) server.
“The additional payloads included information stealers to collect system and browser information on the compromised device, of which most were either Lumma stealer or an updated version of Doenerium,” the Microsoft Threat Intelligence experts said.
The malware scans for cryptocurrency wallets, including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, indicating potential financial data theft.
Hackers will also steal other sensitive information, such as passwords, browsing history, and screenshots. In some cases, they can even remotely control the infected computer.
“The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack,” Microsoft said.
While the GitHub repositories were taken down, the danger of threat actors deploying new ones remains.
Microsoft advises users to bolster their defenses against this threat by strengthening endpoint detection and response (EDR) configurations using block mode. For overall system security, experts suggest enabling multi-factor authentication (MFA) with phishing-resistant methods, utilizing web browsers with SmartScreen, and keeping all software up-to-date.
Your email address will not be published. Required fields are markedmarked