Microsoft Threat Intelligence discovered a malvertising campaign that leveraged pirate streaming sites to expose nearly a million devices to information theft. Redirectors embedded on these websites led users through multiple malicious layers, ultimately directing them to GitHub, where a first-stage malware was hosted. This malware collected system configurations and installed further payloads that executed various malicious activities, including stealing stored browser credentials and data exfiltration. The associated malicious GitHub repositories have since been taken down, and Microsoft provided detailed indicators of compromise to assist in mitigating similar future threats.
These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub.
The attackers built four to five redirect layers in the campaign, each of which followed on from the GitHub dropper to install more nastiness that it appears were designed to steal information including stored browser credentials.
Collection
[
|
...
]