Microsoft has revealed that more than one million computers have been infected through a Malicious advertising campaign destined to steal user information. This attack was detected by the company at the end of last year and the campaign begins in illegal streaming sites where you can see pirated content.
In these places, as reported from Bleeping Computerthe attackers inserted ads that redirect victims to Malicious Github repositories and two other platforms under their control. In these repositories they would download the First payload to collect detailed system information (operating system data, memory size, graphic details, among others).
‘Malware’ process
Even though GITHUB It was the main platform for the delivery of useful loads and initial accessories, from Microsoft also observed another in Discord and in Dropbox. From the company They explain that once the malware Github initial is strengthened on the device, the additional files distributed several stages for the delivery, execution and persistence of the payload.
The files of the Second stage They were used to perform the system discovery and extract information which was coded based64 in the URL and sent by HTTP to an IP address. In Bleeping Computer They ensure that the information collected included data on memory size, graphic details, screen resolution, operating system (OS) and user routes.
Then, in the Third stage And, according to the previous stage payload, one or more are placed Executable files In the affected device. Such as, for example, a powershell script that accompanies it and that can Implement a malware of theft as lumma or doenerium. These are able to obtain bank data, the people’s login credentials, in addition to information from cryptocurrencies.
In the last stage of the attack, if the file is executable, creates and executes a CMD file that produces an Autoit V3 interpreter file whose typical file name is autoit3.exe and uses a .com file extension. Then, Autoit executes some additional steps that finally lead to the same result: the theft of confidential files of the destination system.
Wide range of affected organizations and industries
Microsoft confirms that Github repositories were dismantled and that this activity is tracked under the general name Storm-0408. They use it to track numerous threat actors associated with remote access or malware that steals information and who use campaigns of PhishingOptimization of search engines (SEO) or malicious advertising to distribute malicious useful loads.
They add that the campaign affected a wide range of organizations and industriesincluding both consumption and business devices, which highlights the indiscriminate nature of the attack. In addition to that, despite the malware I was also hosted in Dropbox and Discordthey do not attribute the campaign to any particular threat sector.
Sign up to us Newsletter And receive the latest news about technology in your mail.
#Microsoft #reveals #millions #Windows #computers #infected #malicious #advertising
