Nearly 1 million Windows devices were targeted in recent months by a sophisticated “malvertising” campaign that surreptitiously stole login credentials, cryptocurrency, and other sensitive information from infected machines, Microsoft said.
The campaign began in December, when the attackers, who remain unknown, seeded websites with links that downloaded ads from malicious servers. The links led targeted machines through several intermediary sites until finally arriving at repositories on Microsoft-owned GitHub, which hosted a raft of malicious files.
Chain of events
The malware was loaded in four stages, each of which acted as a building block for the next. Early stages collected device information, presumably to tailor configurations for the later ones. Later ones disabled malware detection apps and connected to command-and-control servers; affected devices remained infected even after being rebooted.
“Depending on the second-stage payload, either one or multiple executables are dropped onto the compromised device, and sometimes an accompanying encoded PowerShell script,” Microsoft researchers wrote Thursday. “These files initiate a chain of events that conduct command execution, payload delivery, defensive evasion, persistence, C2 communications, and data exfiltration.”
The campaign targeted “nearly” 1 million devices belonging both to individuals and a wide range of organizations and industries. The indiscriminate approach indicates the campaign was opportunistic, meaning it attempted to ensnare anyone, rather than targeting certain individuals, organizations, or industries. GitHub was the platform primarily used to host the malicious payload stages, but Discord and Dropbox were also used.
The malware located resources on the infected computer and sent them to the attacker’s c2 server. The exfiltrated data included the following browser files, which can store login cookies, passwords, browsing histories, and other sensitive data.
- AppDataRoamingMozillaFirefoxProfiles
.default-releasecookies.sqlite - AppDataRoamingMozillaFirefoxProfiles
.default-releaseformhistory.sqlite - AppDataRoamingMozillaFirefoxProfiles
.default-releasekey4.db - AppDataRoamingMozillaFirefoxProfiles
.default-releaselogins.json - AppDataLocalGoogleChromeUser DataDefaultWeb Data
- AppDataLocalGoogleChromeUser DataDefaultLogin Data
- AppDataLocalMicrosoftEdgeUser DataDefaultLogin Data
Files stored on Microsoft’s OneDrive cloud service were also targeted. The malware also checked for the presence of cryptocurrency wallets including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, “indicating potential financial data theft,” Microsoft said.
Microsoft said it suspects the sites hosting the malicious ads were streaming platforms providing unauthorized content. Two of the domains are movies7[.]net and 0123movie[.]art.
Microsoft Defender now detects the files used in the attack, and it’s likely other malware defense apps do the same. Anyone who thinks they may have been targeted can check indicators of compromise at the end of the Microsoft post. The post includes steps users can take to prevent falling prey to similar malvertising campaigns.