The recent cyber campaign has cast a wide net, targeting nearly 1 million devices across various sectors, from individual users to large organizations. This opportunistic strategy suggests a lack of specificity in its approach, aiming to ensnare anyone within reach rather than focusing on particular targets. The primary platform for hosting the malicious payload was GitHub, although Discord and Dropbox also played roles in this digital scheme.
Data Exfiltration and Targeted Resources
Once infiltrated, the malware diligently scoured the infected systems for valuable resources, relaying sensitive information back to the attacker’s command and control (C2) server. Among the exfiltrated data were critical browser files capable of storing login cookies, passwords, browsing histories, and other private information. The compromised files included:
- AppDataRoamingMozillaFirefoxProfiles.default-releasecookies.sqlite
- AppDataRoamingMozillaFirefoxProfiles.default-releaseformhistory.sqlite
- AppDataRoamingMozillaFirefoxProfiles.default-releasekey4.db
- AppDataRoamingMozillaFirefoxProfiles.default-releaselogins.json
- AppDataLocalGoogleChromeUser DataDefaultWeb Data
- AppDataLocalGoogleChromeUser DataDefaultLogin Data
- AppDataLocalMicrosoftEdgeUser DataDefaultLogin Data
Additionally, files stored on Microsoft’s OneDrive cloud service were also under threat. The malware exhibited a particular interest in cryptocurrency wallets, scanning for applications such as Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, which raises concerns about potential financial data theft.
Microsoft has indicated that the domains hosting the malicious advertisements may have been associated with streaming platforms offering unauthorized content, with notable mentions including movies7[.]net and 0123movie[.]art. In response to this alarming situation, Microsoft Defender has been updated to detect the files involved in the attack, and it is anticipated that other malware defense applications will follow suit.
For those who suspect they may have been affected, Microsoft has provided a comprehensive post detailing indicators of compromise, along with preventive measures to safeguard against similar malvertising campaigns in the future.
