Researchers discovered a new malware framework that developed to perform fraudulent Google AdSense impressions by installing a malicious browser extension.
In the past 3 months, This Malware framework gained more than one billion fraudulent ad impressions and generated a significant Google AdSense revenue every month.
Threat actors behind this malvertising campaign abusing the content and advertising platforms by deploying the malware and generating a huge amount of revenue.
Malware framework is designed to pad statistics on social sites and ad impressions by including Google Chrome, Mozilla Firefox, and Yandex’s browser and install a malicious browser extension.
Malicious browser extension not only designed to gain ad impression but also generate likes on YouTube videos and watch hidden Twitch streams.
Stages to Install Browser Extension
Threat actors are using three separate stages such as Installer, Finder and Patcher to install the malicious browser extension.
Once malware framework infecting the victim’s browsers, the Installer component set up a new browsers extension and it make sure the extension was successfully installed.
Next component Dubbed Finder is ultimately designed to steal browser logins and cookies which is later package in .zip files and send it to the attacker via command and control server.
It also retrieves update binaries instructing from separate C2 panel that check-in with compromised bots and send back stolen credentials and cookie data.
Final Module Patcher component is responsible for installing the browser extension.
Malicious Extension Behaviour
After the successful installation in the browser, the extension begins injecting ads and generating the hidden traffic.
Most of the code written in this framework intended to commit ad fraud and the scripts also used to search and replace the ad-related code on web pages and eventually report the ad clicks to the C2 server.
According to Flashpoint report, the scripts do not inject every website, and most carry large blacklists of domains that are mostly Google domains and Russian websites. In addition, the scripts also attempt to avoid injects into pornographic sites, as these may throw off the impressions. The malware is concentrated in a few geographic locations, led by Russia, Ukraine, and Kazakhstan.