Friday, November 1, 2024
HomeCyber AttackDoppelGänger Attack: Malware Routed Via News Websites And Social Media

DoppelGänger Attack: Malware Routed Via News Websites And Social Media

Published on

Malware protection

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread disinformation, undermining support for Ukraine.

Structura and SDA are running the campaign, which started in May 2022 and targets France, Germany, and other countries. 

Inauthentic social media accounts, particularly on video platforms, amplify the articles, and interestingly, the campaign’s activity appears to correlate with real-world events like protests, aid decisions, and national budget votes, suggesting attempts to exploit these situations. 

- Advertisement - SIEM as a Service

The DoppelGänger campaign utilizes a three-stage redirection process. Stage One provides social media platforms with thumbnail metadata, while Stage Two fetches and executes an obfuscated JavaScript script from Stage 3, ultimately redirecting users to disinformation websites.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Stage three leverages Keitaro for campaign performance monitoring, and it has been identified that a new cluster linked to the campaign is managed by a control panel designed to handle multiple disinformation websites simultaneously. 

Two categories of website related to DoppelGänger

The content primarily targets Russian audiences, suggesting a shift in objectives, which leads to the hypothesis that Russian agencies Structura and SDA, behind the campaign, are also responsible for Moscow-backed Russian-language propaganda efforts.  

This network of websites uses audience targeting to deliver messages tailored to specific demographics and interests by employing various techniques, including local languages and cultural references (ledialogue.fr), targeting online communities (mypride.press), aligning content with political views (electionwatch.live), and focusing on specific sectors (lesifflet.net). 

The strategy suggests a well-defined plan to identify receptive online groups and influence them with messaging that furthers Russian interests. 

Number of DoppelGanger articles published by country

The DoppelGänger campaign utilizes a multi-layered infrastructure to funnel users towards propaganda websites. 

Social media posts with contentious themes act as the initial hook and then redirect users, through a series of techniques, to articles hosted on either compromised legitimate news outlets (typosquatting) or newly created fake websites. 

DoppelGanger Infrastructure

An open-source Traefik control panel running on port 8080 of 178.62.255.247 was discovered, likely managing disinformation websites for the DoppelGänger campaign. 

The “Providers” tab lists managed domains like newsroad.online, while the “Health” tab offers server health statistics and error logs for monitoring website performance, as the /health endpoint provides the same data in JSON format. 

Screenshot of http://178.62.255[.]247:8080/dashboard/ page

Analysis of logs revealed requests for non-existent articles and identified another IP (206.189.243.184) potentially mirroring the content, suggesting a redundancy solution. 

According to researchers at Sekoia, the same actors behind the previously known campaign are probably running a new DoppelGänger cluster that targets Russian speakers. Websites involved, like newsroad.online, utilize Cloudflare CDN to mask their IP addresses. 

However, exploiting misconfigured functionalities of the Content Management System (CMS), in this case a WordPress pingback function exposed through xmlrpc.php, allowed researchers to reveal the real IP address behind newsroad.online.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...