Tuesday, June 25, 2024

DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread disinformation, undermining support for Ukraine.

Structura and SDA are running the campaign, which started in May 2022 and targets France, Germany, and other countries. 

Inauthentic social media accounts, particularly on video platforms, amplify the articles, and interestingly, the campaign’s activity appears to correlate with real-world events like protests, aid decisions, and national budget votes, suggesting attempts to exploit these situations. 

The DoppelGänger campaign utilizes a three-stage redirection process. Stage One provides social media platforms with thumbnail metadata, while Stage Two fetches and executes an obfuscated JavaScript script from Stage 3, ultimately redirecting users to disinformation websites.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Stage three leverages Keitaro for campaign performance monitoring, and it has been identified that a new cluster linked to the campaign is managed by a control panel designed to handle multiple disinformation websites simultaneously. 

Two categories of website related to DoppelGänger

The content primarily targets Russian audiences, suggesting a shift in objectives, which leads to the hypothesis that Russian agencies Structura and SDA, behind the campaign, are also responsible for Moscow-backed Russian-language propaganda efforts.  

This network of websites uses audience targeting to deliver messages tailored to specific demographics and interests by employing various techniques, including local languages and cultural references (ledialogue.fr), targeting online communities (mypride.press), aligning content with political views (electionwatch.live), and focusing on specific sectors (lesifflet.net). 

The strategy suggests a well-defined plan to identify receptive online groups and influence them with messaging that furthers Russian interests. 

Number of DoppelGanger articles published by country

The DoppelGänger campaign utilizes a multi-layered infrastructure to funnel users towards propaganda websites. 

Social media posts with contentious themes act as the initial hook and then redirect users, through a series of techniques, to articles hosted on either compromised legitimate news outlets (typosquatting) or newly created fake websites. 

DoppelGanger Infrastructure

An open-source Traefik control panel running on port 8080 of was discovered, likely managing disinformation websites for the DoppelGänger campaign. 

The “Providers” tab lists managed domains like newsroad.online, while the “Health” tab offers server health statistics and error logs for monitoring website performance, as the /health endpoint provides the same data in JSON format. 

Screenshot of http://178.62.255[.]247:8080/dashboard/ page

Analysis of logs revealed requests for non-existent articles and identified another IP ( potentially mirroring the content, suggesting a redundancy solution. 

According to researchers at Sekoia, the same actors behind the previously known campaign are probably running a new DoppelGänger cluster that targets Russian speakers. Websites involved, like newsroad.online, utilize Cloudflare CDN to mask their IP addresses. 

However, exploiting misconfigured functionalities of the Content Management System (CMS), in this case a WordPress pingback function exposed through xmlrpc.php, allowed researchers to reveal the real IP address behind newsroad.online.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service


Latest articles

Hackers Exploit Multiple WordPress Plugins to Hack Websites & Create Rogue Admin Accounts

Wordfence Threat Intelligence team identified a significant security breach involving multiple WordPress plugins. The initial...

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles