Cyber Attack

DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread disinformation, undermining support for Ukraine.

Structura and SDA are running the campaign, which started in May 2022 and targets France, Germany, and other countries. 

Inauthentic social media accounts, particularly on video platforms, amplify the articles, and interestingly, the campaign’s activity appears to correlate with real-world events like protests, aid decisions, and national budget votes, suggesting attempts to exploit these situations. 

The DoppelGänger campaign utilizes a three-stage redirection process. Stage One provides social media platforms with thumbnail metadata, while Stage Two fetches and executes an obfuscated JavaScript script from Stage 3, ultimately redirecting users to disinformation websites.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Stage three leverages Keitaro for campaign performance monitoring, and it has been identified that a new cluster linked to the campaign is managed by a control panel designed to handle multiple disinformation websites simultaneously. 

Two categories of website related to DoppelGänger

The content primarily targets Russian audiences, suggesting a shift in objectives, which leads to the hypothesis that Russian agencies Structura and SDA, behind the campaign, are also responsible for Moscow-backed Russian-language propaganda efforts.  

This network of websites uses audience targeting to deliver messages tailored to specific demographics and interests by employing various techniques, including local languages and cultural references (ledialogue.fr), targeting online communities (mypride.press), aligning content with political views (electionwatch.live), and focusing on specific sectors (lesifflet.net). 

The strategy suggests a well-defined plan to identify receptive online groups and influence them with messaging that furthers Russian interests. 

Number of DoppelGanger articles published by country

The DoppelGänger campaign utilizes a multi-layered infrastructure to funnel users towards propaganda websites. 

Social media posts with contentious themes act as the initial hook and then redirect users, through a series of techniques, to articles hosted on either compromised legitimate news outlets (typosquatting) or newly created fake websites. 

DoppelGanger Infrastructure

An open-source Traefik control panel running on port 8080 of 178.62.255.247 was discovered, likely managing disinformation websites for the DoppelGänger campaign. 

The “Providers” tab lists managed domains like newsroad.online, while the “Health” tab offers server health statistics and error logs for monitoring website performance, as the /health endpoint provides the same data in JSON format. 

Screenshot of http://178.62.255[.]247:8080/dashboard/ page

Analysis of logs revealed requests for non-existent articles and identified another IP (206.189.243.184) potentially mirroring the content, suggesting a redundancy solution. 

According to researchers at Sekoia, the same actors behind the previously known campaign are probably running a new DoppelGänger cluster that targets Russian speakers. Websites involved, like newsroad.online, utilize Cloudflare CDN to mask their IP addresses. 

However, exploiting misconfigured functionalities of the Content Management System (CMS), in this case a WordPress pingback function exposed through xmlrpc.php, allowed researchers to reveal the real IP address behind newsroad.online.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Guru baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt…

2 days ago

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a threat actor to read sensitive files…

2 days ago

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes. Resecurity researchers have recently revealed that…

2 days ago

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million Ecuadorian citizens. The announcement was made…

2 days ago

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery efforts following a recent cybersecurity breach.…

3 days ago

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection for Amazon Simple Storage Service (Amazon…

3 days ago