A broad overview of the four stages.
Credit:
Microsoft
The campaign targeted “nearly” 1 million devices belonging both to individuals and a wide range of organizations and industries. The indiscriminate approach indicates the campaign was opportunistic, meaning it attempted to ensnare anyone, rather than targeting certain individuals, organizations, or industries. GitHub was the platform primarily used to host the malicious payload stages, but Discord and Dropbox were also used.
The malware located resources on the infected computer and sent them to the attacker’s c2 server. The exfiltrated data included the following browser files, which can store login cookies, passwords, browsing histories, and other sensitive data.
- \AppData\Roaming\Mozilla\Firefox\Profiles\
.default-release\cookies.sqlite - \AppData\Roaming\Mozilla\Firefox\Profiles\
.default-release\formhistory.sqlite - \AppData\Roaming\Mozilla\Firefox\Profiles\
.default-release\key4.db - \AppData\Roaming\Mozilla\Firefox\Profiles\
.default-release\logins.json - \AppData\Local\Google\Chrome\User Data\Default\Web Data
- \AppData\Local\Google\Chrome\User Data\Default\Login Data
- \AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Files stored on Microsoft’s OneDrive cloud service were also targeted. The malware also checked for the presence of cryptocurrency wallets including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, “indicating potential financial data theft,” Microsoft said.
Microsoft said it suspects the sites hosting the malicious ads were streaming platforms providing unauthorized content. Two of the domains are movies7[.]net and 0123movie[.]art.
Microsoft Defender now detects the files used in the attack, and it’s likely other malware defense apps do the same. Anyone who thinks they may have been targeted can check indicators of compromise at the end of the Microsoft post. The post includes steps users can take to prevent falling prey to similar malvertising campaigns.
