A new malware framework has been discovered padding statistics on social sites and ad impressions, according to new research from Flashpoint.
Researchers explained that over the course of the past three months, the malware framework has been responsible for more than one billion fraudulent Google AdSense ad impressions.
The malware uses three separate stages of installation to deliver a malicious browser extension that performs fraudulent AdSense impressions and generates likes on YouTube videos. It also watches hidden Twitch streams.
The initial stage of the framework executes the installer, which either sets up a new browser or downloads a module that does so. “The installer sets itself up as a task related to Windows Update by creating an XML file on the local disk and executing it as a scheduled task (schtasks),” the July 18 blog post explained. It then checks to make sure the installer was successful.
The second component is the finder, “a module designed to steal browser logins and cookies, package them in .zip files, and send them to the attacker’s command-and-control infrastructure.” Finally, the patcher module sets up the browser extension.
The malware is generating revenue for its operators, who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers such as Google Chrome, Mozilla Firefox and Yandex’s browser, according to the research.
“Flashpoint researchers found code, for example, that looks for YouTube referrers and then injects a new script tag to load code for YouTube. In this case, the injected JavaScript has an extensive amount of code that is designed to like videos, most of which are related to political topics in Russia. Separately, researchers also found code that injects an iframe into the browser designed to play a hidden Twitch stream, padding the viewer stats for the streamer on that page,” researchers wrote.