DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread disinformation, undermining support for Ukraine.

Structura and SDA are running the campaign, which started in May 2022 and targets France, Germany, and other countries. 

Inauthentic social media accounts, particularly on video platforms, amplify the articles, and interestingly, the campaign’s activity appears to correlate with real-world events like protests, aid decisions, and national budget votes, suggesting attempts to exploit these situations. 

The DoppelGänger campaign utilizes a three-stage redirection process. Stage One provides social media platforms with thumbnail metadata, while Stage Two fetches and executes an obfuscated JavaScript script from Stage 3, ultimately redirecting users to disinformation websites.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Stage three leverages Keitaro for campaign performance monitoring, and it has been identified that a new cluster linked to the campaign is managed by a control panel designed to handle multiple disinformation websites simultaneously. 

The content primarily targets Russian audiences, suggesting a shift in objectives, which leads to the hypothesis that Russian agencies Structura and SDA, behind the campaign, are also responsible for Moscow-backed Russian-language propaganda efforts.  

This network of websites uses audience targeting to deliver messages tailored to specific demographics and interests by employing various techniques, including local languages and cultural references (ledialogue.fr), targeting online communities (mypride.press), aligning content with political views (electionwatch.live), and focusing on specific sectors (lesifflet.net). 

The strategy suggests a well-defined plan to identify receptive online groups and influence them with messaging that furthers Russian interests. 

The DoppelGänger campaign utilizes a multi-layered infrastructure to funnel users towards propaganda websites. 

Social media posts with contentious themes act as the initial hook and then redirect users, through a series of techniques, to articles hosted on either compromised legitimate news outlets (typosquatting) or newly created fake websites. 

An open-source Traefik control panel running on port 8080 of 178.62.255.247 was discovered, likely managing disinformation websites for the DoppelGänger campaign. 

The “Providers” tab lists managed domains like newsroad.online, while the “Health” tab offers server health statistics and error logs for monitoring website performance, as the /health endpoint provides the same data in JSON format. 

Analysis of logs revealed requests for non-existent articles and identified another IP (206.189.243.184) potentially mirroring the content, suggesting a redundancy solution. 

According to researchers at Sekoia, the same actors behind the previously known campaign are probably running a new DoppelGänger cluster that targets Russian speakers. Websites involved, like newsroad.online, utilize Cloudflare CDN to mask their IP addresses. 

However, exploiting misconfigured functionalities of the Content Management System (CMS), in this case a WordPress pingback function exposed through xmlrpc.php, allowed researchers to reveal the real IP address behind newsroad.online.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service