Newly Discovered Malware Framework Cashing in on Ad Fraud (Jul 17, 2019)
A new malware framework is responsible for more than one billion fraudulent advertisement instances between May and July 2019, according to Flashpoint researchers. The activity is generating its operators significant Google AdSense revenue on a monthly basis. The framework features three separate stages that ultimately install a malicious browser extension designed to perform fraudulent AdSense impressions, as well as generate likes on YouTube videos and watch hidden Twitch streams. Google Chrome, Mozilla Firefox, and the Yandex browser are all targets on Windows machines. Infected browsers are linked into a botnet which is used to generate monthly income for fraudsters. The malware is concentrated in a few geographic locations, with most installers being in Russia, Ukraine, and Kazakhstan.
Recommendation: This botnet takes advantage of internet-connected devices that have been misconfigured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.