Trustwave discovered the first political malvertising campaign

Experts at Trustwave observed a group of cyber criminals helping spread pro-Russia propaganda by inflating video views with a malvertising campaign.

Security experts at Trustwave have discovered a botnet, originally designed for malvertising purpose, used redirect unaware users to view some pro-Russian videos on the website DailyMotion.

The event is very interesting due to the political motivation behind the attack as explained Trustwave.

“We recently observed what seems to be a group of cyber criminals helping spread pro-Russia messaging by artificially inflating video views and ratings on a popular video website.”wrote Rami Kogan of Trustwave’s SpiderLabs, in a blog post on Thursday. “We can’t know for sure who’s behind the fraudulent promotion of video clips, but it appears to be politically motivated,” 

The event is unusual for the security community, the experts at Trustwave explained that this is the first time they have observed the tactic used to promote video clips with a seemingly political agenda by inflating the number of views.

The threat actors behind the malvertising campaign used the Angler exploit kit to infect victims with the Bedep trojan, recently used to hit also the adult web site xHamster. According to the experts, the victims were infected after they visited a tourism website that hosted the Angler exploit kit.

Some of the computers were also redirected to domains hosting other exploit kits such as Neutrino and Magnitude in order to server further malicious code.

The infected machines were forced to browse sites to generate ad revenue, as well as, to visit a number of pro-Russia videos.

One of the videos promoted through the malvertising campaign is related to the Russian position on the dispute with the Ukraine in Crimea, meanwhile others are related to Russian political and military issues. The technique allows bad actors to collect around 320,000 views for each video.

The choice of the Bedep malware is not casual, bad actors exploited its ability to use a hidden virtual desktop on the infected computer and runs a fully-featured Internet Explorer instance, in this way the victims will never notice the visits to the propaganda videos and websites hosting advertisements.

“The objective of ad fraud is to generate fake traffic to ads and receive compensation based on traffic volume. Obviously, more compromised computers leads to more traffic directed to the ads which leads to more revenue for the fraudster. Usually the party that pays for ad views will perform validity checks to filter out invalid ad impressions.” states the report.

Researchers at Trustwave also discovered that threat actors behind the malvertising campaign is selling traffic from the infected machines to other criminal crews that use it to redirect it to compromised websites.

The videos have been removed from DailyMotion at the time I’m writing.

Pierluigi Paganini

(Security Affairs – malvertising, Russia)