Microsoft has disclosed details of a large -scale Malvertish company, which estimated a million devices worldwide within the framework of what is a conjunctural attack aimed at theft information.
The technological giant, which revealed the activity in early December 2024, monitors it under the wider STORM-0408 umbrella, nickname, which is used to set threat subjects, which are known to distribute remote access to malicious programs through phishing, search engine optimization (SEO) or Malvertishn.
‘Attack arose on illegal sites – Note.
“The company has influenced a wide range of organizations and industries, including both consumer and enterprises that emphasize the triumphant nature of the attack.”
The most significant aspect of the company is the use of GitHub as a platform to provide initial useful loads. At least in the other two isolated cases, useful loads located on Discord and Dropbox were found. GitHub has been removed since then. The company did not reveal how many such repositories were removed.
The Microsoft hosting service acts as a staging for malware responsible for deploying a number of additional programs such as Lumma Steeler and Doerium, which in turn are able to collect system information.
The attack also uses a sophisticated redirect chain, consisting of four to five layers, and the initial redirect is built into the IFRAME element on illegal streaming sites serving pirate content.
The overall sequence of infection is a multi-stage process that includes the detection of the system, collection of information and use of subsequent useful loads such as Netsupport Rat and auto-athical scenarios to facilitate additional data theft. Trojan remote access also serves as pipelines for malware.
- First Stage – Set fixing on target devices
- The second stage is the exploration, collection and expressive system, as well as delivery of useful load
- Third stages-performance teams, delivery of useful load, evasion, perseverance, communication and control over them and operating data
- Fourth stage – Script PowerShell to configure Microsoft Defender exceptions and run commands to download data from remote server
Another characteristic of the attacks concerns the use of various PowerShell scenarios to download Netsupport rats, identify the installed apps and software for safety, in particular, scanning for cryptocurrencies, indicating potential financial data.
“In addition to information thefts, the host was launched by PowerShell, JavaScript, VBScript and Autoit Scripts,” Microsoft said. “The actors of the threat included the use of binary files and scripts (LOLBAS), such as PowerShell.exe, MSBUIild.exe and Regasm.exe for C2 and Exploration User data and the browser credentials.”
The disclosure of information occurs when Caspersorski found that curly sites masked as chat -boots Deepseek and Grok (AI) are used to deceive the users before installing previously undocumented Python information.
DEEkeSeek bait sites, which are advertised by proven accounting accounts on X (EG, @coleaddisontech, @gaurdevang2 and @Saduq5), were also used to perform the PowerShell script, which uses SSH to provide attackers remote access to the computer.
“Cybercriminals use different schemes to attract victims to malicious resources,” Russian cybersecurity company – Note. “Usually references to such sites are distributed through messengers and social networks. Attackers can also use printing houses or acquire traffic on malicious sites through numerous partnership programs.”
