Detected malicious advertising framework, generating more than 1 billion ads in three months

Flashpoint experts identified a large framework that parasitizes Google AdSense ads, hidden views of Twitch streams and generation of fake likes on YouTube.

Researchers write that the main objectives of the attackers are browsers such as Google Chrome, Mozilla Firefox and Yandex Browser running on Windows-based machines. They form a base of the botnet. It is reported that over the past three months, more than 1 billion advertisements have passed through this framework.

Infecting the victim’s machine begins with the use of the Installer module, which will install and configure a malicious browser extension, as well as ensure a constant presence in the system by creating a scheduled task (malware will pretend to be Windows Update).

Read also: Following Chrome, Firefox will mark all HTTP-pages as “unsafe”

Next, another framework module, Finder, will start collecting cookies and credentials on the infected system, sending them to its operators in the format of ZIP archives. Additionally, this module will communicate with the secondary management server, which transmits malware commands and reports with what frequency it is necessary to collect and steal data from infected systems.

The third module, Patcher, was used in an earlier version of the framework for installing a malicious extension, but in recent versions, it was already included in the Installer module.

After successful browser compromise, extension will immediately begin to work, embedding advertising on sites and generate traffic that is hidden for the user (for example, it will “watch” Twitch streams in the background or like videos on YouTube).

“Basically, the framework code is related to advertising fraud and includes scripts that search for and replace advertising-related code on web pages, but the framework also contains code to track information about clicks and transfer other data to management servers”, – experts write.

Interestingly, introduction of advertising does not occur on all sites that the victim visits. It means that malware has extensive “black lists”, which include Google domains, various Russian resources and porn sites.

According to Flashpoint, this fraudulent campaign is mainly focused on post-Soviet countries, including Russia, Ukraine and Kazakhstan.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button