Malvertising Campaign Leads to Info Stealers Hosted on Github
In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by Senior Microsoft Security Researcher Kajhon Soyini to explore the Luma Stealer cryptocurrency mining campaign targeting individual computers as part of a large-scale malvertising campaign. They discuss the sophisticated attack chain, which includes DLLs, clipboard malware, process injection via Explorer.exe, and how this impacted nearly one million devices around the globe.
Kajhon explains how attackers use registry modifications, WMI event consumers, and obfuscation techniques like non-standard ports and reverse shells to maintain persistence and evade detection. The duo also covers Microsoft's defense efforts and the challenges of tracking down the origins of these attacks.
In this episode you’ll learn:
- Why the attack chain incorporates legacy malware like NetSupport RAT
- The overlap between the Luma Stealer and Donarium malware families
- How Luma Stealer uses GitHub repositories and redirector networks to deliver malicious payloads
Some questions we ask:
- Can you explain how the malware uses the “image file execution objects” registry path?
- What role does Netcat play in this campaign’s command and control?
- Why do people still mine cryptocurrency today, with all the complexities and attack methods?
Resources:
View Kajhon Soyini on LinkedIn
View Sherrod DeGrippo on LinkedIn
Connect with Sherrod and the team at RSAC
Related Microsoft Podcasts:
Discover and follow other Microsoft podcasts at microsoft.com/podcasts
Get the latest threat intelligence insights and guidance at Microsoft Security Insider
The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.
Microsoft Threat Intelligence 