Full Report
Microsoft has disclosed details of a large-scale malvertising campaign that's estimated to have impacted over one million devices globally as part of what it said is an opportunistic attack designed to steal sensitive information. The tech giant, which detected the activity in early December 2024, is tracking it under the broader umbrella Storm-0408, a moniker used for a set of threat actors
Analysis Summary
# Incident Report: Large-Scale Malvertising Campaign Leading to Information Theft
## Executive Summary
Microsoft detected a large-scale malvertising campaign, tracked as Storm-0408, which impacted over one million devices globally using illegal streaming sites to redirect users through a multi-stage environment culminating in the deployment of information-stealing malware like Lumma Stealer and Doenerium. The attack heavily leveraged legitimate platforms such as GitHub for staging initial access payloads, resulting in system reconnaissance, credential harvesting (including cryptocurrency wallet details), and potential data exfiltration. Response involved takedown of malicious repositories, though the full scope of compromise remains widespread.
## Incident Details
- **Discovery Date:** Early December 2024
- **Incident Date:** Began prior to December 2024
- **Affected Organization:** Estimated over one million devices globally (Indiscriminate attack)
- **Sector:** Wide range of organizations and industries, including consumer and enterprise devices.
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, prior to detection in December 2024.
- **Vector:** Malvertising embedded on illegal streaming websites.
- **Details:** Attack originated from malicious advertisements embedded via `iframe` elements on these sites, leading to an initial redirector.
### Lateral Movement
- **Details:** Infection involved system discovery (reconnaissance) and delivery/execution of follow-on payloads like NetSupport RAT, facilitating further command execution and data theft.
### Data Exfiltration/Impact
- **Details:** Collection of sensitive information, including system information, installed applications, cryptocurrency wallet details, user data, and browser credentials using stolen through stealer malware (Lumma Stealer, Doenerium) and C2 communications via LOLBAS.
### Detection & Response
- **How it was discovered:** Detected by Microsoft Threat Intelligence in early December 2024.
- **Response actions taken:** GitHub repositories used for hosting initial access payloads were taken down.
## Attack Methodology
- **Initial Access:** Malvertising redirectors embedded in illegal streaming sites leading to an intermediary site, then to GitHub/Dropbox/Discord.
- **Persistence:** Implied through the deployment of RATs and follow-on scripts designed to maintain execution.
- **Privilege Escalation:** Not explicitly detailed, but necessary for configuration changes.
- **Defense Evasion:** Use of PowerShell scripts to configure Microsoft Defender exclusions.
- **Credential Access:** Stealer malware (Lumma Stealer) targeted browser credentials and financial information (crypto wallets).
- **Discovery:** System reconnaissance performed after payload deployment to check installed applications and security software.
- **Lateral Movement:** Use of NetSupport RAT as a conduit.
- **Collection:** Gathering system information, installed applications, and browser/financial data.
- **Exfiltration:** Use of LOLBAS (PowerShell.exe, MSBuild.exe, RegAsm.exe) for Command and Control (C2) and data exfiltration.
- **Impact:** Information theft and remote access capability via RAT.
## Impact Assessment
- **Financial:** Implied risk due to targeting of cryptocurrency wallet information.
- **Data Breach:** Sensitive system information, browser credentials, and cryptocurrency wallet data gathered. Volume unknown.
- **Operational:** Potential disruption through the installation of RATs allowing remote command execution.
- **Reputational:** Not explicitly detailed, but impact exists due to compromise across various sectors.
## Indicators of Compromise
- **Network indicators:** Communication C2 channels established using LOLBAS mechanisms.
- **File indicators:** Payloads included Lumma Stealer, Doenerium, NetSupport RAT. Scripts utilized PowerShell, JavaScript, VBScript, and AutoIT.
- **Behavioral indicators:** Execution of PowerShell scripts to modify Defender exclusions; scanning for cryptocurrency wallet software.
## Response Actions
- **Containment measures:** Takedown of malicious repositories on GitHub used for staging payloads.
- **Eradication steps:** Not explicitly detailed, likely involved cleaning affected endpoints from malware and scripts.
- **Recovery actions:** Not explicitly detailed, assumed to involve system remediation after containment.
## Lessons Learned
- **Key takeaways:** Threat actors are effectively weaponizing legitimate, high-reputation services (GitHub, Discord, Dropbox) as staging grounds for malware delivery, bypassing traditional perimeter defenses. Malvertising remains a persistent and scalable initial access vector.
- **What could have been done better:** Detection rates against complex, multi-stage redirection chains need improvement. Better behavioral monitoring to detect LOLBAS abuse for data exfiltration.
## Recommendations
- **Prevention measures for similar incidents:** Enhance web filtering to block traffic from known high-risk malvertising sources (illegal streaming sites). Implement robust monitoring for PowerShell script execution that modifies security configurations (e.g., Defender exclusions). Regularly audit cloud storage/code hosting services for unauthorized malicious file staging.