Hackers have been discovered using malware infections to artificially inflate the popularity of pro-Russia propaganda videos, in a new twist on ad fraud.
Trustwave explained in a blog post that it believed at first that the cyber-criminals were engaged in simple ad fraud, but then noticed the malware browsing to several video clips with specific political content.
The clips themselves are loaded on a “hidden desktop” unseen by the malware victim.
“By artificially increasing the clip's popularity, the fraudsters make the clip more visible in general to users of the video aggregation site,” wrote Trustwave security researcher, Rami Kogan.
“Using bots to generate fake traffic to video clips is nothing new. It is a technique to raise a clip's popularity score and achieve higher visibility. However, this is the first time we've observed the tactic used to promote video clips with a seemingly political agenda.”
The clips spotted by Trustwave as part of this campaign include themes around Western sanctions on Russia and the conflict in Ukraine and each have an almost identical number of page views: 320,000.
However, despite the relatively high views, there are no shares, retweets or comments. When viewing the “last day” of visitor traffic, each clip shows a similar graph pattern, Kogan added.
Users are also directed to pages which don’t have any pro-Russian or geopolitical bent, indicating that the attackers are also trying to monetize their attack by regular ad fraud.
The attack begins when a user visits a compromised website offering assistance to tourists: an injected iframe on that site leads to the Angler exploit kit. This will in turn check for AV products and tools used by security researchers.
The exploit frequently results in an install of the Bedep trojan which forces the victim computer to visit numerous sites in a bid to generate fake traffic to ads.
Some of the sites appear normal but are actually registered by the cyber-criminals and hide a huge number of ads, packed in to generate the maximum return on investment, Trustwave said.
This is a technique used before, by the TDSS botnet, but this time it differs in how it hides malicious activity from the user.
“Bedep creates a hidden virtual desktop that hosts the Internet Explorer COM window invisibly. That hidden window functions as a fully featured Internet Explorer instance,” Kogan explained.
One final surprise in the campaign: Trustwave also found already infected machines being directed by the C&C to the Magnitude and Neutrino exploit kits.
“It seems that the guys behind this particular C&C are trying to maximize their profit by selling traffic from compromised computers to other campaigners that seek to spread their own malware via Magnitude and Neutrino,” explained Kogan.
“Just to make it clear: An already infected computer is visiting ads silently without the user's consent, and gets re-infected over and over again.”