Online propaganda was phase one. Then came hijacking computers.
The Kremlin-linked Russian troll farm known as the Internet Research Agency took an ominous detour into malware distribution in the middle of the 2016 presidential campaign, targeting teenage girls in the U.S. with a Chrome plug-in that pulled their browsers into a crude botnet, according to an analysis by The Daily Beast and outside security experts.
The app, called FaceMusic, was billed as an embedded music player that would allow users to listen to free tunes while browsing Facebook. The Internet Research Agency purchased Facebook ads promoting the app in May 2016 through one of its fraudulent profiles, “Stop All Invaders,” which normally pushed xenophobic anti-immigration memes in support of the Donald Trump campaign.
Facebook data released by Congress last week shows the FaceMusic ads garnered 24,623 impressions from 107 ads, but only 85 clicks in all. The most successful single ad run, with 28 clicks, used Facebook’s targeting system to go after female users in the United States between 14 and 17 years old. (In total, more than 13,000 machines were likely infected by the FaceMusic malware, according to a Daily Beast analysis.)
Google has since removed the malicious app from the Chrome store, and the public FaceMusic website at fbmusic[.]com is now defunct. But an examination of an archived copy of the code, coupled with an analysis of its web traffic, shows it packed hidden functionality that was active even when the victim wasn’t on Facebook.
Compared to serious malware threats, FaceMusic is relatively benign, perhaps because it had to pass Google’s review before being allowed on the Chrome Web Store. By all evidence it does not harvest user information—beyond the user’s Facebook ID and profile picture—nor does it expose or corrupt the computer’s files. A June 2016 post spotted by Wired suggests that at least some versions of the code could spam a victim’s Facebook friends with FaceMusic invitations, but the version examined by The Daily Beast had no obvious signs of that capability.
What this version of FaceMusic did have was a secret line of communication to a second, private website in Russia that lived at the address extad[.]info—“extad” being a transliteration of the Russian word for “export.” The app is programmed to report to that server every minute as long as the browser is open, continuously sending the user’s unique identifier and asking for further instructions.
One of the instructions it accepts from the control server, called “track_cpa,” has nothing to do with playing music. It comes with a list of web addresses, and the app is programmed to go through each one and connect to it from the user’s computer, with no outward evidence that anything is happening.
Similar code has been seen in so-called click-fraud schemes to simulate clicks on advertisements. It’s unclear why the Internet Research Agency wanted that capability, but there are a couple of possible reasons it could be useful to an organization dedicated to circulating fake news and divisive memes.
Virtually every web forum where the agency posted content has a voting system that increases the visibility of more popular posts. If the agency wanted to make sure that its latest post on the Clinton Foundation rose to the top of the pile, it might direct its FaceMusic botnet to slam the up-vote link with hits.
Top forums wouldn’t be vulnerable to such a straightforward scheme, but smaller ones might. “I’ve seen cases like this before,” said Shane Wilton, senior security researcher at Tinfoil Security, who examined the code at The Daily Beast’s request. “I would be surprised if Reddit or Facebook had that problem, but if the [troll farm] is active on other smaller social media, this is exactly the sort of thing that would be useful for.”
The troll farm might also have used the app to generate traffic for web articles written or approved by the agency, to encourage more of the same.
“If, for example, an article uses a tracking pixel to track page views, they [the troll farm] could artificially inflate that by loading that image” through the botnet, said Michael Borohovski, Tinfoil’s co-founder and CTO. “If the publication or aggregator is using page-views as a metric for popularity, that could drive an article to the top.”
In either scenario, to website administrators each click would appear to be coming from a different user. Depending on the website being gamed, the troll farm could even choose to activate only users in a region that makes sense—clicks on a website dealing with topics specific to Ukraine, for example, would only come from infected browsers in that country. If a site has a global audience, the entire botnet could be activated at once, flooding the link with hits from around the world.
Google had no immediate comment for this story, but on Saturday a spokesperson told Wired that the company took the extension out of its app store in 2016, and removed it “from every user’s computer.”
That last part, though, isn’t entirely true.
The Daily Beast noticed last week that the registration had expired on the extad[.]info web address used to control the troll farm’s browser botnet. We registered the domain and began logging the incoming connections. The server is receiving FaceMusic queries from over 100 different computers where the long-moribund Chrome extension is still lying around.
The data shows that FaceMusic implants are active in 32 different countries. Ukraine has the most implants, at 20. The United States, which was targeted in the Facebook ad buy, has only five. The user ID numbers appearing in the logs range from 466 to 13,780, suggesting that over 13,000 users installed the app before Google blocked it.
That uneven geographic distribution implies that Russia’s troll farm may have deployed the malware first in its own neighborhood. Ukraine was a target of the Internet Research Agency well before it muscled into the U.S. election.
“Maybe they built it for Ukraine and it worked to a certain extent, and they decided to try it out in the U.S.,” said Clint Watts, a former FBI agent and expert on Russia’s influence campaign.
That means FaceMusic could mark a new, troubling tactic in Russia’s propaganda war, or it might just be a one-off experiment that didn’t produce the expected returns, said Watts. The troll farm has been known to float spectacular failures from time to time, like the fake Hillary Clinton sex tape, and the equally ignored “Hilltendo” Flash game.
“They do live experiments, and if it doesn’t work, they don’t get shook,” said Watts. “What someone else might do in a test under controlled conditions, they do for real, because they don’t care.”
Records show that public FaceMusic website, fbmusic[.]com, was registered in April 2016 to a man in St. Petersburg, Russia, where the Internet Research Agency is based. The Daily Beast reached the man by text message over the weekend. He texted back that his identity was stolen to register the site. “This is not mine,” he wrote. “Now I will deal with the registrar: who and how, and most importantly, why, did they register this domain for me?”
The man vigorously denied any connection to the Internet Research Agency: “I have nothing to do with this organization,” he wrote. “I now read about them in fear of the horrors they create.”
It’s unclear if he was trolling us.