Full Report
Microsoft has taken down an undisclosed number of GitHub repositories used in a massive malvertising campaign that impacted almost one million devices worldwide. [...]
Analysis Summary
# Incident Report: Malvertising Campaign Leading to Info-Stealers and RAT Deployment
## Executive Summary
A large-scale malvertising campaign, tracked by Microsoft as Storm-0408, successfully compromised an estimated one million PCs by leveraging malicious advertisements to trick users into downloading malware payloads hosted on platforms like GitHub, Dropbox, and Discord. The attack utilized a multi-stage delivery system, culminating in the deployment of remote access trojans (RATs) like NetSupport and information stealers such as Lumma and Doenerium, resulting in system discovery, credential harvesting, and broad operational impact across various sectors.
## Incident Details
- **Discovery Date:** Not explicitly stated, but reported by Microsoft Threat Intelligence.
- **Incident Date:** Ongoing campaign reported by Microsoft on March 6, 2025 (based on inferred publication date).
- **Affected Organization:** Not a single organization; the campaign impacted systems globally across a wide range of organizations and industries.
- **Sector:** Consumer and Enterprise sectors globally.
- **Geography:** Global.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified.
- **Vector:** Malvertising campaigns leading users to malicious links.
- **Details:** Users likely encountered deceptive advertisements which, upon clicking, redirected them to download first-stage malware payloads.
### Lateral Movement
- **Vector (Implied):** System discovery and execution of secondary payloads.
- **Details:** Initial malware performed system discovery, collecting detailed configuration information (memory, OS, user paths). Subsequent stages involved downloading further payloads to establish deeper control, including RATs.
### Data Exfiltration/Impact
- **Impact:** System information exfiltration, deployment of NetSupport RAT, deployment of Lumma and Doenerium info-stealers to steal user data and browser credentials.
- **Details:** Data gathered included system specifications and user credentials. Remote access was established via NetSupport RAT persistence mechanisms.
### Detection & Response
- **Detection:** Detected and tracked by Microsoft Threat Intelligence under the designation Storm-0408.
- **Response actions taken:** Microsoft published a detailed advisory revealing the attack stages and payloads. (Specific organizational containment/eradication actions are not detailed in the provided text, only Microsoft's tracking).
## Attack Methodology
- **Initial Access:** Malvertising campaign redirection leading to the download of first-stage payloads hosted on GitHub, Dropbox, or Discord.
- **Persistence:** Establishing persistence via registry modification for the NetSupport RAT, potentially using PowerShell or AutoIt components.
- **Privilege Escalation:** Techniques not explicitly detailed, though use of PowerShell suggests potential system-level execution capabilities.
- **Defense Evasion:** Use of AutoIt components (.com and .scr extensions) and PowerShell execution to configure exclusion paths for Windows Defender.
- **Credential Access:** Deployment of Lumma and Doenerium infostealers designed to harvest browser credentials.
- **Discovery:** Initial execution included malware designed for system discovery (memory size, OS, user paths).
- **Lateral Movement:** Implied through the deployment of a RAT (NetSupport) capable of remote control.
- **Collection:** Targeting user data and browser credentials using infostealers.
- **Exfiltration:** Harvested data transmitted from compromised endpoints.
- **Impact:** Establishment of persistent remote access and theft of sensitive user data/credentials.
## Impact Assessment
- **Financial:** Not specified; estimated costs unknown.
- **Data Breach:** User data and browser credentials were the primary target of exfiltration via infostealers.
- **Operational:** Impacted an estimated 1 million PCs globally across consumer and enterprise environments.
- **Reputational:** Public disclosure by Microsoft highlights the supply chain risk via major cloud/file hosting services.
## Indicators of Compromise
*(Note: All URLs/IPs listed below remain defanged as per instructions.)*
- **Network indicators:** Command-and-Control (C2) servers used to host NetSupport RAT and second/third-stage payloads (e.g., implied URLs on `microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/`).
- **File indicators:** AutoIt interpreter components (.com, .scr extensions), NetSupport RAT payload, Lumma stealer, Doenerium infostealer.
- **Behavioral indicators:** Execution of PowerShell to configure Defender exclusions, remote browser debugging initiation, registry modifications for establishing RAT persistence.
## Response Actions
- **Containment measures:** (Not explicitly detailed for affected organizations, implied removal of initial payloads.)
- **Eradication steps:** Removal of NetSupport RAT, Lumma, and Doenerium, cleaning up persistence mechanisms in the registry.
- **Recovery actions:** Re-imaging or sanitization of the 1 million affected systems and rebuilding access controls.
## Lessons Learned
- The reliance on malvertising as a distribution vector remains a highly effective, low-effort method for achieving massive scale compromise.
- Attackers successfully leveraged legitimate, trusted cloud/hosting services (GitHub, Dropbox, Discord) to host malicious payloads, complicating blocking efforts.
- Multi-stage infection chains involving AutoIt, PowerShell, and RATs demonstrate sophisticated attempts to bypass endpoint detection and response (EDR) solutions.
## Recommendations
- Enhance user training focusing on identifying malicious advertisements and avoiding unexpected downloads from search results.
- Implement strict application control policies to restrict execution of certain file types (like AutoIt interpreters) from non-standard directories.
- Review and tighten policies regarding the use of legitimate services (GitHub, Discord) for internal security monitoring, watching for anomalous file hosting patterns.
- Ensure EDR solutions are configured aggressively to detect the initial execution and subsequent defense evasion techniques (e.g., Defender exclusion changes via PowerShell).