A new sort of hacktivism emerged last week when experts from Trustwave published new research revealing that attackers are using the Angler exploit kit and the Bedep Trojan in order to drive artificial views to politically controversial videos.
The motivation for the scheme, it appears, is to inflate the popularity of certain opinions by increasing the number of views reported by videos boasting those ideas. More specifically, the attackers are seeking to display these videos more prominently on the video aggregation site, Daily Motion. The use of botnets to artificially increase the number of views associated with a certain video is nothing new. However, Trustwave said this is the first time they have observed the tactic exploited in such a political fashion.
Trustwave’s Rami Kogan says he first observed the malware promoting pro-Russian content related to the Russo-Urkainian conflict, defending a recent state-sponsored trip to Norway, and announcing militant deaths in North Caucasus. Outside politics, Kogan believes that a similar but largely unrelated campaign is being used to inflate views for other videos on Daily Motion as well, including one announcing that U.S. actress and singer Anna Kendrick is writing a book and another debating which tech giant has the best headquarters. In both cases, attackers are simultaneously using Bedep to drive traffic to and increase revenue from online advertisements.
The attack begins with an infection driven by the notorious and preeminent Angler exploit kit. The attackers are using a malicious iframe to redirect victims from a compromised tourism site. Angler then looks for evidence of installed antivirus software and for developer tools frequently used by security researchers in order to avoid detection and analysis. If it finds no defensive mechanisms in place, the kit installs the Bedep trojan onto its victim’s machines.
In this case, Kogan observed angler exploiting CVE-2014-6332, an OleAut32.dll vulnerability, and CVE-2015-0313, an Adobe Flash Player vulnerability.
Once Bedep is loaded, the malware’s command and control server drives the user to a specially crafted site that is overloaded with ad content in an attempt to increase the efficiency of the campaign’s click-fraud efforts. Meanwhile, videos are loaded in a hidden desktop without the user’s knowledge, promoting the scam’s other mission: to increase the number of views for a given video in order to have it more prominently displayed on DailyMotion.
Strangely, once the the click-fraud and view-inflation goals are achieved, the attackers seem to hand their victims off to other criminals by re-infecting their machines with either the Magnitude or Neutrino exploit kits.
“It seems that the guys behind this particular C&C are trying to maximize their profit by selling traffic from compromised computers to other campaigners that seek to spread their own malware via Magnitude and Neutrino,” Kogan writes. “Just to make it clear: An already infected computer is visiting ads silently without the user’s consent, and gets re-infected over and over again.”
Oddly, all of the pro-Russian videos claim to have garnered right around 320,000 views. The clips also have no “shares” on Facebook, “retweets” on twitter or comments. Each has a graph embedded illustrating views from the last 24 hours.