Security Experts:

Connect with us

Hi, what are you looking for?



Malware Framework Gathers 1 Billion Ad Impressions in 3 Months

Flashpoint security researchers have discovered a new malware framework that managed to gather over one billion fraudulent ad impressions in the past three months.

Flashpoint security researchers have discovered a new malware framework that managed to gather over one billion fraudulent ad impressions in the past three months.

The framework, which has generated significant Google AdSense revenue on a monthly basis, features three separate stages aimed at installing a malicious browser extension to perform fraudulent AdSense impressions, generate likes on YouTube videos, and watch hidden Twitch streams.

The malicious tool works by padding statistics on social sites and ad impressions, thus generating revenue for its operators. Malware is used to create a botnet to target the content and advertising platform via browsers such as Chrome, Firefox, and Yandex.

With video and streaming services paying producers for content based on different tiers, higher counts usually mean higher financial gains, and this sometimes leads to unscrupulous behavior.

Code discovered by Flashpoint researchers would look for YouTube referrers and inject a new script tag to load code for the video service. The injected JavaScript contains code to like videos, most of which are related to political topics in Russia.

Additionally, the security researchers discovered code that would inject an iframe into the browser to play a hidden Twitch stream, padding the viewer stats for the streamer on that page.

The initial stage of the framework is executed immediately after the browser has been infected, by setting up persistence through creating a task related to Windows Update. Once this has been completed, the installer sets up the extension.

The next stage is dubbed Finder, a module designed to steal browser logins and cookies. The gathered data is packaged in .zip files and sent to the attacker’s command-and-control (C&C) infrastructure.

The module also connects to a separate C&C panel to retrieve update binaries to learn how often it should check in with bots and send back stolen credentials and cookie data.

The attack also leverages a Patcher module, which is responsible for installing the browser extension. In newer versions of the malware, the installer and patcher are bundled together.

The installer also includes encoded resource sections that are scripts to be used for the browser extension, which has been designed to inject the scripts into web pages. Further functionality depends on the page.

The components use Chrome messaging and FireBase cloud messaging for communication, but the researchers also found variants with references to FCM or XMPP for possible communication with another service.

Once executed within the browser, the extension starts injecting ads or generating traffic hidden to the user. Most of the code in the framework has been designed for ad fraud, with scripts meant to search and replace ad-related code on web pages, but Flashpoint also found code for reporting clicks and other data to the C&C.

The scripts would not inject every website, but carry large blacklists of domains, most of which are Google domains and Russian websites. The scripts also attempt to avoid pornographic sites, so as to not throw off the impressions.

The malware, Flashpoint says, appears focused on a few geographic locations, led by Russia, Ukraine, and Kazakhstan.

Related: Google Took Down 2.3 Billion Bad Ads in 2018

Related: Google Blocks New Ad Fraud Scheme

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.