Malware framework generates 1B fake ad impressions in 3 months

Researchers have sniffed out a malware framework that targets major browsers installed on Window machines, and has generated more than 1 billion false Google AdSense impressions in the past three months alone.

"The framework is designed to pad statistics on social sites and ad impressions, creating revenue for its operators who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers including Google Chrome, Mozilla Firefox, and Yandex's browser," explain Flashpoint researchers Jason Reaves and Joshua Platt in a company blog post published today.

The malware is most commonly found in Russia, Ukraine and Kazakhstan.

Upon infecting a browser, the malware executes in three stages. First, the installer establishes persistence by setting itself up as a task related to Windows update, and then it either directly creates a new browser extension or it downloads a module for this same purpose.

Up next comes the Finder module, which steals browser logins and cookies and exfiltrates them to a command-and-control server in .zip files. It also communicates with a separate C2 panel, which dictates "how frequently to check in with compromised bots and send back stolen credentials and cookie data," Flashpoint reports.

The third stage involves the Patcher module, which installs the browser extension, which is designed to inject scripts into various web pages or generate traffic that remains invisible to users. Not all websites are affected, however: certain Google domains, Russian websites and pornographic websites have been blacklisted.

The malware framework also includes code that hunts for YouTube referrers and, upon finding them, injects JavaScript with code that fraudulently generates likes for videos. Most of these YouTube videos feature content related to Russian politics, Flashpoint reports. Additionally the framework also features code for injecting browsers with iframes that play Twitch streams that remain hidden from infected users. These YouTube and Twitch functionalities both also content producers to pad their stats.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.