Malvertising Campaign Targets Over 1 Million Devices
Overview of the Four Stages
A broad overview of the four stages.
Credit: Microsoft
The campaign targeted “nearly” 1 million devices belonging both to individuals and a wide range of organizations and industries. The indiscriminate approach indicates the campaign was opportunistic, meaning it attempted to ensnare anyone, rather than targeting certain individuals, organizations, or industries. GitHub was the platform primarily used to host the malicious payload stages, but Discord and Dropbox were also used.
Malware Infection Process
The malware located resources on the infected computer and sent them to the attacker’s c2 server. The exfiltrated data included the following browser files, which can store login cookies, passwords, browsing histories, and other sensitive data.
- \AppData\Roaming\Mozilla\Firefox\Profiles.default-release\cookies.sqlite
- \AppData\Roaming\Mozilla\Firefox\Profiles.default-release\formhistory.sqlite
- \AppData\Roaming\Mozilla\Firefox\Profiles.default-release\key4.db
- \AppData\Roaming\Mozilla\Firefox\Profiles.default-release\logins.json
- \AppData\Local\Google\Chrome\User Data\Default\Web Data
- \AppData\Local\Google\Chrome\User Data\Default\Login Data
- \AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Additional Targets
Files stored on Microsoft’s OneDrive cloud service were also targeted. The malware also checked for the presence of cryptocurrency wallets, including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, "indicating potential financial data theft," Microsoft said.
Suspected Malicious Sites
Microsoft said it suspects the sites hosting the malicious ads were streaming platforms providing unauthorized content. Two of the domains are movies7[.]net and 0123movie[.]art.
Detection and Prevention
Microsoft Defender now detects the files used in the attack, and it’s likely other malware defense apps do the same. Anyone who thinks they may have been targeted can check indicators of compromise at the end of the Microsoft post. The post includes steps users can take to prevent falling prey to similar malvertising campaigns.
Conclusion
This malvertising campaign demonstrates the importance of being cautious when interacting with online advertisements and protecting our devices with robust security measures.
Frequently Asked Questions
Q: What is a malvertising campaign?
A: A malvertising campaign is a type of cyber attack where malicious code is distributed through online advertisements.
Q: How many devices were targeted in this campaign?
A: Nearly 1 million devices were targeted in this campaign.
Q: What types of files were exfiltrated from infected devices?
A: The malware exfiltrated browser files, including login cookies, passwords, browsing histories, and other sensitive data.
Q: What is Microsoft doing to protect users from similar attacks?
A: Microsoft Defender now detects the files used in the attack, and it’s likely other malware defense apps do the same. Microsoft also provides indicators of compromise and prevention steps to help users protect themselves from similar malvertising campaigns.
