A broad overview of the 4 stages.
Credit:
Microsoft
The campaign targeted “nearly” 1 million devices belonging each to individuals and a wide selection of organizations and industries. The indiscriminate approach indicates the campaign was opportunistic, meaning it attempted to ensnare anyone, fairly than targeting certain individuals, organizations, or industries. GitHub was the platform primarily used to host the malicious payload stages, but Discord and Dropbox were also used.
The malware positioned resources on the infected computer and sent them to the attacker’s c2 server. The exfiltrated data included the next browser files, which may store login cookies, passwords, browsing histories, and other sensitive data.
- AppDataRoamingMozillaFirefoxProfiles
.default-releasecookies.sqlite - AppDataRoamingMozillaFirefoxProfiles
.default-releaseformhistory.sqlite - AppDataRoamingMozillaFirefoxProfiles
.default-releasekey4.db - AppDataRoamingMozillaFirefoxProfiles
.default-releaselogins.json - AppDataLocalGoogleChromeUser DataDefaultWeb Data
- AppDataLocalGoogleChromeUser DataDefaultLogin Data
- AppDataLocalMicrosoftEdgeUser DataDefaultLogin Data
Files stored on Microsoft’s OneDrive cloud service were also targeted. The malware also checked for the presence of cryptocurrency wallets including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, “indicating potential financial data theft,” Microsoft said.
Microsoft said it suspects the sites hosting the malicious ads were streaming platforms providing unauthorized content. Two of the domains are movies7[.]net and 0123movie[.]art.
Microsoft Defender now detects the files utilized in the attack, and it’s likely other malware defense apps do the identical. Anyone who thinks they might have been targeted can check indicators of compromise at the top of the Microsoft post. The post includes steps users can take to forestall falling prey to similar malvertising campaigns.
