Microsoft has revealed details of a massive fraud campaign estimated to have affected more than a million devices worldwide, as part of what it said was an opportunistic attack designed to steal sensitive information.
The tech giant, which detected activity in early December 2024, is tracking it under the broader umbrella Storm-0408, used by a series of threat actors used by a range of threat actors known to distribute remote access or information-stolen malware via phishing, search engine optimization (SEO), or fraudulent activities.
“The attack embedded a redirector born from a fraudulent streaming website, which then led to an intermediary website where users were redirected to GitHub and two other platforms.”
“This campaign impacts a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.”
The most important aspect of the campaign is to use GitHub as a platform for delivering initial access payloads. I found that in at least two other orphaned instances the payload is hosted on Discord and Dropbox. The GitHub repository was then deleted. The company did not disclose the number of such repositories that have been deleted.
Microsoft owns code hosting services act as a staging ground for Dropper malware that is responsible for deploying a set of additional programs, such as Lumma Stealer and Doenerium.
The attack also employs a sophisticated redirection chain consisting of four to five layers, with initial redirectors embedded in the IFRAME element of illegal streaming websites offering pirated content.
The overall infection sequence is a multi-stage process that involves the use of follow-on payloads such as NetSupport rats and automotive scripts to facilitate system discovery, information collection, and more data theft. Remote Access Trojans also act as conduits for steeler malware.
Stage 1 – Establish scaffolding for the target device. Stage 2 – System Reconnaissance, Collecting, and Exfoliation, Payload Delivery Stage 3 – Command Execution, Payload Delivery, Defence Evasion, Persistence, Command and Control Communication, 4 Stages – Powershell Script
Another feature of the attack is that it uses various PowerShell scripts to download NetSupport RAT, identify installed applications and security software, scans for the presence of cryptocurrency wallets, and indicates theft of potential financial data.
“In addition to the fact that Information Steeler, PowerShell, JavaScript, VBScript, and Autoit Scripts were run on the host,” Microsoft said. “Threat actors have incorporated the use of land binaries and scripts (lolbas) for the removal of Powershell.exe, msbuild.exe, and user data and browser credential data, like C2 and Regasm.exe.”
This disclosure is because Kaspersky revealed that fake websites disguised as Deepseek and Grok Artificial Intelligence (AI) chatbots were being used to trick users into installing previously undocumented Python Information Stealer.
I also used Deekseek-themed decoy sites advertised by X’s verified accounts (e.g. @ColeadDisontech, @Gaurdevang2, and @Saduq5) to run a PowerShell script that uses SSH to grant attackers remote access to their computers.
“Cybercriminals use a variety of schemes to lure victims into malicious resources,” the Russian cybersecurity company said. Attackers can also use type scanning through numerous affiliate programs and purchase advertising traffic to malicious sites. ”
Source link
