DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread disinformation, undermining support for Ukraine.

Structura and SDA are running the campaign, which started in May 2022 and targets France, Germany, and other countries. 

Inauthentic social media accounts, particularly on video platforms, amplify the articles, and interestingly, the campaign’s activity appears to correlate with real-world events like protests, aid decisions, and national budget votes, suggesting attempts to exploit these situations. 

The DoppelGänger campaign utilizes a three-stage redirection process. Stage One provides social media platforms with thumbnail metadata, while Stage Two fetches and executes an obfuscated JavaScript script from Stage 3, ultimately redirecting users to disinformation websites.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Stage three leverages Keitaro for campaign performance monitoring, and it has been identified that a new cluster linked to the campaign is managed by a control panel designed to handle multiple disinformation websites simultaneously. 

Two categories of website related to DoppelGänger

The content primarily targets Russian audiences, suggesting a shift in objectives, which leads to the hypothesis that Russian agencies Structura and SDA, behind the campaign, are also responsible for Moscow-backed Russian-language propaganda efforts.  

This network of websites uses audience targeting to deliver messages tailored to specific demographics and interests by employing various techniques, including local languages and cultural references (ledialogue.fr), targeting online communities (mypride.press), aligning content with political views (electionwatch.live), and focusing on specific sectors (lesifflet.net). 

The strategy suggests a well-defined plan to identify receptive online groups and influence them with messaging that furthers Russian interests. 

Number of DoppelGanger articles published by country

The DoppelGänger campaign utilizes a multi-layered infrastructure to funnel users towards propaganda websites. 

Social media posts with contentious themes act as the initial hook and then redirect users, through a series of techniques, to articles hosted on either compromised legitimate news outlets (typosquatting) or newly created fake websites. 

DoppelGanger Infrastructure

An open-source Traefik control panel running on port 8080 of 178.62.255.247 was discovered, likely managing disinformation websites for the DoppelGänger campaign. 

The “Providers” tab lists managed domains like newsroad.online, while the “Health” tab offers server health statistics and error logs for monitoring website performance, as the /health endpoint provides the same data in JSON format. 

Screenshot of http://178.62.255[.]247:8080/dashboard/ page

Analysis of logs revealed requests for non-existent articles and identified another IP (206.189.243.184) potentially mirroring the content, suggesting a redundancy solution. 

According to researchers at Sekoia, the same actors behind the previously known campaign are probably running a new DoppelGänger cluster that targets Russian speakers. Websites involved, like newsroad.online, utilize Cloudflare CDN to mask their IP addresses. 

However, exploiting misconfigured functionalities of the Content Management System (CMS), in this case a WordPress pingback function exposed through xmlrpc.php, allowed researchers to reveal the real IP address behind newsroad.online.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Splunk RCE Vulnerability Let Attackers Execute Remote Code

Splunk, the data analysis and monitoring platform, is grappling with a Remote Code Execution (RCE)…

41 minutes ago

Europol Shutsdown 27 DDoS Service Provider Platforms

In a major international operation codenamed “PowerOFF,” Europol, collaborating with law enforcement agencies across 15…

1 hour ago

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC)…

16 hours ago

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive…

16 hours ago

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence Information…

16 hours ago

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the start…

16 hours ago