Malvertising Campaign Leads to Info Stealers Hosted on Github
Mar 6, 2025
auto_awesome
Kajhon Soyini, a Senior Microsoft Security Researcher at Defender Experts, discusses the Luma Stealer cryptocurrency mining campaign. He uncovers the intricate attack chain involving DLLs and clipboard malware that impacted nearly one million devices globally. Kajhon explains how attackers leverage techniques like registry modifications and obfuscation to evade detection. They also touch on the overlap between Luma Stealer and other malware families and Microsoft's efforts to combat these evolving threats.
The Luma Stealer campaign exemplifies advanced cybercrime tactics by utilizing malvertising and repository-based payload delivery to compromise millions of devices.
Microsoft's proactive measures on GitHub highlight the ongoing battle against cyber threats, emphasizing the need for adaptive defenses amid rapidly evolving attack strategies.
Deep dives
Overview of Luma Stealer Threat
The Luma Stealer threat, initially identified in December 2024, is associated with the cybercrime actor Storm 1000 and utilizes malvertising through scam and pirated streaming websites. The infection process begins with payloads downloaded from GitHub, which function as droppers that subsequently deploy additional malicious executables onto users' systems. Once active, these payloads run commands to collect system information, including user names, DNS settings, and GPU details, before exfiltrating this data over encrypted connections. With around a million devices reportedly affected across various industries, this campaign demonstrates a significant increase in threat activity, showcasing the adaptability and persistence of cybercriminal methods in the broader context of malware attacks.
GitHub's Role in Disruption
Microsoft leverages its ownership of GitHub to combat threats like the Luma Stealer, collaborating effectively to identify and take down malicious repositories. The process involves escalating incidents to GitHub to remove harmful content, but the resilience of threat actors often leads to the rapid reemergence of similar malicious repositories following takedowns. This dynamic reflects an ongoing cat-and-mouse game between cybersecurity defenders and cybercriminals, where disruption efforts must continuously adapt to evolving attack strategies. The prevalence of attacks using trusted platforms underscores the complex challenges cybersecurity teams face in protecting users from sophisticated exploitation methods.
Crypto-Mining Campaigns and Techniques
Another notable campaign discussed involves adversaries utilizing command and control techniques for crypto-mining by masquerading as legitimate software on trusted sites like GitHub and YouTube. The attackers employ various techniques such as process injection and disguising malware as benign files, targeting resources like CPUs and memory to mine cryptocurrency. Employing tools like Netcat for command and control, the malware creates encrypted tunnels while leveraging persistence mechanisms that activate upon certain triggers, ensuring continued operation. The sophisticated nature of this campaign includes modifying registry keys and utilizing living-off-the-land binaries, illustrating the evolving tactics threat actors use to evade detection and maintain control.
In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by Senior Microsoft Security Researcher Kajhon Soyini to explore the Luma Stealer cryptocurrency mining campaign targeting individual computers as part of a large-scale malvertising campaign. They discuss the sophisticated attack chain, which includes DLLs, clipboard malware, process injection via Explorer.exe, and how this impacted nearly one million devices around the globe.
Kajhon explains how attackers use registry modifications, WMI event consumers, and obfuscation techniques like non-standard ports and reverse shells to maintain persistence and evade detection. The duo also covers Microsoft's defense efforts and the challenges of tracking down the origins of these attacks.
In this episode you’ll learn:
Why the attack chain incorporates legacy malware like NetSupport RAT
The overlap between the Luma Stealer and Donarium malware families
How Luma Stealer uses GitHub repositories and redirector networks to deliver malicious payloads
Some questions we ask:
Can you explain how the malware uses the “image file execution objects” registry path?
What role does Netcat play in this campaign’s command and control?
Why do people still mine cryptocurrency today, with all the complexities and attack methods?
