The Sednit espionage group, also known as the Sofacy group, APT28 or “Fancy Bear”, has been targeting various institutions for many years. We recently discovered a component the group employed to reach physically isolated computer networks — “air-gapped” networks — and exfiltrate sensitive files from them through removable drives.
In this post, we examine the complex it fits into a larger click fraud ecosystem, where users can be redirected either automatically, or through search engines browsing, to advertisement websites.
This is the first in a series of two blog posts on the malware family Win32/Boaxxe.BE whose end goal is to drive traffic to advertisement websites by using various click fraud techniques, and thus earn money from these websites as an “advertiser”.
In this blog post, we will describe software detected by ESET products as Win32/Kankan, and explain why its discovery shocked many Chinese users, then we will provide an in-depth analysis of its functionalities – and discuss the evidence that Xunlei Networking Technologies is implicated.