Detected malicious advertising framework, generating more than 1 billion ads in three months

Flashpoint experts identified a large framework that parasitizes Google AdSense ads, hidden views of Twitch streams and generation of fake likes on YouTube.

Researchers write that the main objectives of the attackers are browsers such as Google Chrome, Mozilla Firefox and Yandex Browser running on Windows-based machines. They form a base of the botnet. It is reported that over the past three months, more than 1 billion advertisements have passed through this framework.

Infecting the victim’s machine begins with the use of the Installer module, which will install and configure a malicious browser extension, as well as ensure a constant presence in the system by creating a scheduled task (malware will pretend to be Windows Update).

Read also: Following Chrome, Firefox will mark all HTTP-pages as “unsafe”

Next, another framework module, Finder, will start collecting cookies and credentials on the infected system, sending them to its operators in the format of ZIP archives. Additionally, this module will communicate with the secondary management server, which transmits malware commands and reports with what frequency it is necessary to collect and steal data from infected systems.

The third module, Patcher, was used in an earlier version of the framework for installing a malicious extension, but in recent versions, it was already included in the Installer module.

After successful browser compromise, extension will immediately begin to work, embedding advertising on sites and generate traffic that is hidden for the user (for example, it will “watch” Twitch streams in the background or like videos on YouTube).

“Basically, the framework code is related to advertising fraud and includes scripts that search for and replace advertising-related code on web pages, but the framework also contains code to track information about clicks and transfer other data to management servers”, – experts write.

Interestingly, introduction of advertising does not occur on all sites that the victim visits. It means that malware has extensive “black lists”, which include Google domains, various Russian resources and porn sites.