Researchers have sniffed out a malware framework that targets major browsers installed on Window machines, and has generated more than 1 billion false Google AdSense impressions in the past three months alone.
“The framework is designed to pad statistics on social sites and ad impressions, creating revenue for its operators who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers including Google Chrome, Mozilla Firefox, and Yandex’s browser,” explain Flashpoint researchers Jason Reaves and Joshua Platt in a company blog post published today.
The malware is most commonly found in Russia, Ukraine and Kazakhstan.
Upon infecting a browser, the malware executes in three stages. First, the installer establishes persistence by setting itself up as a task related to Windows update, and then it either directly creates a new browser extension or it downloads a module for this same purpose.
Up next comes the Finder module, which steals browser logins and cookies and exfiltrates them to a command-and-control server in .zip files. It also communicates with a separate C2 panel, which dictates “how frequently to check in with compromised bots and send back stolen credentials and cookie data,” Flashpoint reports.
The third stage involves the Patcher module, which installs the browser extension, which is designed to inject scripts into various web pages or generate traffic that remains invisible to users. Not all websites are affected, however: certain Google domains, Russian websites and pornographic websites have been blacklisted.