Flashpoint security researchers have discovered a new malware framework that managed to gather over one billion fraudulent ad impressions in the past three months.
The framework, which has generated significant Google AdSense revenue on a monthly basis, features three separate stages aimed at installing a malicious browser extension to perform fraudulent AdSense impressions, generate likes on YouTube videos, and watch hidden Twitch streams.
The malicious tool works by padding statistics on social sites and ad impressions, thus generating revenue for its operators. Malware is used to create a botnet to target the content and advertising platform via browsers such as Chrome, Firefox, and Yandex.
With video and streaming services paying producers for content based on different tiers, higher counts usually mean higher financial gains, and this sometimes leads to unscrupulous behavior.
Code discovered by Flashpoint researchers would look for YouTube referrers and inject a new script tag to load code for the video service. The injected JavaScript contains code to like videos, most of which are related to political topics in Russia.
Additionally, the security researchers discovered code that would inject an iframe into the browser to play a hidden Twitch stream, padding the viewer stats for the streamer on that page.
The initial stage of the framework is executed immediately after the browser has been infected, by setting up persistence through creating a task related to Windows Update. Once this has been completed, the installer sets up the extension.
The next stage is dubbed Finder, a module designed to steal browser logins and cookies. The gathered data is packaged in .zip files and sent to the attacker’s command-and-control (C&C) infrastructure.
The module also connects to a separate C&C panel to retrieve update binaries to learn how often it should check in with bots and send back stolen credentials and cookie data.
The attack also leverages a Patcher module, which is responsible for installing the browser extension. In newer versions of the malware, the installer and patcher are bundled together.
The installer also includes encoded resource sections that are scripts to be used for the browser extension, which has been designed to inject the scripts into web pages. Further functionality depends on the page.
The components use Chrome messaging and FireBase cloud messaging for communication, but the researchers also found variants with references to FCM or XMPP for possible communication with another service.
Once executed within the browser, the extension starts injecting ads or generating traffic hidden to the user. Most of the code in the framework has been designed for ad fraud, with scripts meant to search and replace ad-related code on web pages, but Flashpoint also found code for reporting clicks and other data to the C&C.
The scripts would not inject every website, but carry large blacklists of domains, most of which are Google domains and Russian websites. The scripts also attempt to avoid pornographic sites, so as to not throw off the impressions.
The malware, Flashpoint says, appears focused on a few geographic locations, led by Russia, Ukraine, and Kazakhstan.
Related: Google Took Down 2.3 Billion Bad Ads in 2018
Related: Google Blocks New Ad Fraud Scheme