Microsoft uncovers Sefnit Trojan return after Groupon click-fraud scam

The authors of the notorious Sefnit Trojan have resurfaced using advanced infection and click-fraud techniques to earn vast sums of money through bogus advertising, according to Microsoft.

Microsoft antivirus researcher Geoff McDonald reported discovering an evolved version of the Sefnit Trojan, which takes money by targeting popular websites, such as Groupon.

In a blog post on the company’s Malware Protection Centre, McDonald wrote: “The Sefnit click-fraud component is now structured as a proxy service based on the open-source 3proxy project. The botnet of Sefnit-hosted proxies are used to relay HTTP traffic to pretend to click on advertisements. In this way, the new version of Sefnit exhibits no clear visible user symptoms to bring attention to the botnet. This allowed them to evade attention from anti-malware researchers for a couple years.

“The Sefnit botnet uses the hosted 3proxy servers to redirect internet traffic and perform fake advertisement clicks. A recorded example of this click-fraud path is shown below by using the legitimate affiliate search engine to simulate a search for ‘cat’ and fake a click on an advertisement provided by Google to defraud the advertiser Groupon.”

He said the technique allowed the criminals behind the malware to increase the revenue they made using the scam. “The end result is Groupon paying a small amount of money for this fake advertisement ‘click’ to Google. Google takes a portion of the money and pays the rest out to the website hosting the advertisement – Mywebsearch. The Sefnit authors likely signed up as an affiliate for Mywebsearch, resulting in the Sefnit criminals then receiving a commission on the click.”

A Groupon spokesperson told V3 the company actively monitors its network for any illicit activity. “We actively monitor our thousands of global affiliate marketers, and those who violate the rules are removed from the programme.”

McDonald said Microsoft uncovered evidence linking Sefnit to the Mevade malware used in the world’s first large-scale Tor botnet.

“​Recently Trojan:Win32/Mevade made news for being the first large botnet to use Tor to anonymise and hide its network traffic. Within a few weeks, starting mid-August, the number of directly connecting Tor users increased by almost 600 percent – from about 500,000 users per day to more than three million,” he wrote.

“Last week we concluded, after further review, that Mevade and Sefnit are the same family and our detections for Mevade have now been moved to join the Sefnit family.”

As well as its links to Mevade, McDonald said the attack is also using a host of new custom-built components to improve its infection rate. “This latest version of Sefnit shows they are using multiple attack vectors, even going as far as writing their own bundler installers to achieve the maximum number of infections that make this type of click fraud a financially viable exercise,” he wrote.

“The authors have adapted their click-fraud mechanisms in a way that takes user interaction out of the picture while maintaining the effectiveness. This removal of the user-interaction reliance in the click-fraud methodology was a large factor in the Sefnit authors being able to stay out of the security researchers’ radars over the last couple of years.”

Sefnit is one of many variations of malware to receive technical upgrades in recent months. Earlier this month FireEye researchers reported discovering a reworked version of the Darkleech campaign targeting Java and Adobe vulnerabilities to spread the Reveton ransomware.