New Malware frame uses Ad Fraud Browser Extension

Ad Fraud Browser Extension

Researchers uncovered a new and highly prolific malware environment, in which their creators generate over a period of only 3 months, over one billion fraudulent ad impressions.

The attackers used the framework to boost the Google AdSense revenue using a malicious browser extension to produce AdSense impressions from smooth air, while also looking at Twitch streams tirelessly and generating fake YouTube likes backgrounds.

“The framework is intended for the purpose of pad statistics on social sites and ad prints, providing revenues for its operators who use a botnet to attack content or ad platforms through the distribution of malware and browser targeting including Google Chrome, Mozilla Firefox and the browser,” the researchers from Flashpoint found out about the ad fraud framework.

Web browsers of the victims are infected by a multi-stage approach starting with an “installer” module, which installs the malicious browser add-on and persists on the target computer with a planned task.

The next step is to collect the browser cookies and credentials for the victim, sending them in ZIP archives as a control and command infrastructure for their masters, called “finding.”

This is also the module that connects to a secondary C2 server that sends the frequency used to collect and exfiltrate data from infected web browsers.

Sending cookiesto the C2 server

Sending cookies to the C2 server

The malware module is used by attackers dubbed “Patcher” and used to install an early version of the ad fraud framework to the malicious browser extension, which is linked to the installer module by newest versions. Send cookies to the server Send cookies to the server C2.

“To inject scripts into web pages, the extension is essentially set up, which can then be further supported, in accordance with the page,” Flashpoint says.

Malicious ad fraud framework capability

The browser will immediately begin generating web traffic and ads on websites visited by its victims once it has successfully compromised its extension setting.

Malicious complements also inject various script versions designed to pursue and replace ad code on the web site and report ad click and other data types on its C2 servers. This is a malicious complement for its users.

Ad replacing script

Ad replacing script

However, the Framework will also ensure that Google domain and multiple porn and Russian websites do not get messed up and that an integrated blacklist for sites should be checked to prevent scripts and publicity injecting from being detected.

A few countries are involved in the malicious activities surrounding this fraudulent AdSense campaign, with Kazakhstan, Russia and Ukraine being the most prominent examples.

The background of the botnet created with the use of this ad fraud-centric malware framework uses a huge database which will cycle the data that the bots send onto C2 infrastructures, eliminating the old data collected — potentially useless — to provide room for newly stolen cookies and credentials.

“There are a number of views around the production of statistics on bottlenecks and their activities,” the FlashPoint researchers found. “The data are stored for several months before it is wiped or reset.

Most impacted countries

Most impacted countries

The Flashpoint research team provides a complete list of compromise indicators (IOCs) in CSV and JSON formats including SHA256 hacks for more than 1400 malware samples, and eight fields used in the fraud campaign AdSense and Snort rules aimed at identifying the malicious activities involved. Most affected countries

In January, two sets of fake Android apps[1,2] were found to be flooding their users ‘ devices with extremely intrusive full-screen advertisements when users unlock the device, or every 15/30 minuten with over 17 million installs in the Google Play Store.

Signed using various codesign certificates and published under different developer names, the applications also concealed a view that would not allow victims to uninstall ads on infected Android devices while programming ads.

In a December 2018 mobile click-fraud campaign, 22 Android apps were used to get advertisers to pay operators the highest ad prices, which resulted in the display of ads on iPhone 5 to 8 Plus devices by Apple.

Image credit: Bleeping computer

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.