Malvertising Campaign Leads to Info Stealers Hosted on Github

In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by Senior Microsoft Security Researcher Kajhon Soyini to explore the Luma Stealer cryptocurrency mining campaign targeting individual computers as part of a large-scale malvertising campaign. They discuss the sophisticated attack chain, which includes DLLs, clipboard malware, process injection via Explorer.exe, and how this impacted nearly one million devices around the globe.  

Kajhon explains how attackers use registry modifications, WMI event consumers, and obfuscation techniques like non-standard ports and reverse shells to maintain persistence and evade detection. The duo also covers Microsoft's defense efforts and the challenges of tracking down the origins of these attacks. 

In this episode you’ll learn:      

• Why the attack chain incorporates legacy malware like NetSupport RAT 
• The overlap between the Luma Stealer and Donarium malware families 
• How Luma Stealer uses GitHub repositories and redirector networks to deliver malicious payloads 

Some questions we ask:     

• Can you explain how the malware uses the “image file execution objects” registry path? 
• What role does Netcat play in this campaign’s command and control? 
• Why do people still mine cryptocurrency today, with all the complexities and attack methods? 

Resources:  

View Kajhon Soyini on LinkedIn  

View Sherrod DeGrippo on LinkedIn  

Connect with Sherrod and the team at RSAC 

Related Microsoft Podcasts:                   

• Afternoon Cyber Tea with Ann Johnson 
• The BlueHat Podcast 
• Uncovering Hidden Risks     

Discover and follow other Microsoft podcasts at microsoft.com/podcasts  

Get the latest threat intelligence insights and guidance at Microsoft Security Insider 

The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.