Trustwave discovered the first political malvertising campaign

Experts at Trustwave observed a group of cyber criminals helping spread pro-Russia propaganda by inflating video views with a malvertising campaign.

Security experts at Trustwave have discovered a botnet, originally designed for malvertising purpose, used redirect unaware users to view some pro-Russian videos on the website DailyMotion.

The event is very interesting due to the political motivation behind the attack as explained Trustwave.

“We recently observed what seems to be a group of cyber criminals helping spread pro-Russia messaging by artificially inflating video views and ratings on a popular video website.”wrote Rami Kogan of Trustwave’s SpiderLabs, in a blog post on Thursday. “We can’t know for sure who’s behind the fraudulent promotion of video clips, but it appears to be politically motivated,” 

The event is unusual for the security community, the experts at Trustwave explained that this is the first time they have observed the tactic used to promote video clips with a seemingly political agenda by inflating the number of views.

The threat actors behind the malvertising campaign used the Angler exploit kit to infect victims with the Bedep trojan, recently used to hit also the adult web site xHamster. According to the experts, the victims were infected after they visited a tourism website that hosted the Angler exploit kit.

Some of the computers were also redirected to domains hosting other exploit kits such as Neutrino and Magnitude in order to server further malicious code.

The infected machines were forced to browse sites to generate ad revenue, as well as, to visit a number of pro-Russia videos.

One of the videos promoted through the malvertising campaign is related to the Russian position on the dispute with the Ukraine in Crimea, meanwhile others are related to Russian political and military issues. The technique allows bad actors to collect around 320,000 views for each video.

The choice of the Bedep malware is not casual, bad actors exploited its ability to use a hidden virtual desktop on the infected computer and runs a fully-featured Internet Explorer instance, in this way the victims will never notice the visits to the propaganda videos and websites hosting advertisements.

“The objective of ad fraud is to generate fake traffic to ads and receive compensation based on traffic volume. Obviously, more compromised computers leads to more traffic directed to the ads which leads to more revenue for the fraudster. Usually the party that pays for ad views will perform validity checks to filter out invalid ad impressions.” states the report.

Researchers at Trustwave also discovered that threat actors behind the malvertising campaign is selling traffic from the infected machines to other criminal crews that use it to redirect it to compromised websites.

The videos have been removed from DailyMotion at the time I’m writing.

Pierluigi Paganini

(Security Affairs – malvertising, Russia)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

3 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

15 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

19 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

24 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.