Wednesday, May 22, 2024

Hackers Use GitHub to Host Malware to Attack Victims by Abusing Yandex Owned Legitimate ad Service

Threat actors distribute malware by posting malicious ads that redirect users to the websites that offering malicious downloads disguised as document templates.

The hacker group abused Yandex.Direct, an online advertising network to post the malvertising campaign and the malware hosted on GitHub.

According to ESET Research team report, the campaign distributes the well-known Buhtrap and RTM along with the ransomware and cryptocurrency stealers. The campaign primarily targeted organizations in Russia.

The campaign primarily targets corporate accounting departments, where attackers lure the targets searching for keywords download invoice template, contract example or contract form and to compromise their computers.

By displaying the ad banners in legitimate accounting forum, the attackers drive the potential victims to the malicious website.

Attackers tie different payloads together and they hosted all the malicious files in two different GitHub repositories.

“Moreover, the cybercriminals put the malicious files on their GitHub repository only for a limited period of time, probably while the ad campaign was active, else the payload on GitHub was an empty zip file or a clean executable.”

ESET researchers observed the campaigns started in late October 2018 and is still active and they observed six different malware families being hosted on GitHub.

They have signed the malicious files with multiple code-signing certificates to show users that they are installing the genuine product and not the tampered one.

Following are a list of the malware and the list of certificates used.

The component Win32/Filecoder.Buhtrap has ransomware behavior, it primarily targeted database management systems. once this malware triggered it encrypts all the files.

Win32/ClipBanker focuses on the clipboard, it checks for the cryptocurrency addresses, if it founds any cryptocurrency addresses it replaces them with the one belongs to threat actor.

Win32/RTM is a banking trojan aims in extracting the financial details from the infected victims’ machine. The trojan was written in Delphi language.

Researchers observed two cases with Buhtrap backdoor, in the first case “backdoor is loaded directly in memory, not using the usual DLL side-loading trick and second, they changed the RC4 key used to encrypt network traffic to the C&C server.”

The heavily obfuscated Android component Android/Spy.Banker that hosted on GitHub has following capabilities that include Record microphone, Take a screenshot, Get GPS position, Log keystrokes, Encrypt device data and demand ransom and Send spam.

MSIL/ClipBanker.IH is a Windows executable that hijacks the clipboard capabilities and targets a wide range of cryptocurrencies as well as Steam trade offers. It uses as an exfiltration channel to capture the WIF private key.

Researchers contacted the Yandex, GitHub and the malvertising campaign and the hosted malware has been removed.

Indicators of Compromise (IoCs)


You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Hackers Abuse GitHub Service to Host Variety of Phishing Kits to Steal Login Credentials

Hackers Exploiting More than 9000 Cisco RV320/RV325 Routers After POC published in GitHub

GitHub Announces Unlimited Private Repositories For Free Plan

Gentoo Linux GitHub Account Hacked, Attackers Modified Repositories


Latest articles

OmniVision Technologies Cyber Attack, Hackers Stolen Personal Data in Ransomware Attack

OmniVision Technologies, Inc. (OVT) recently disclosed a significant security breach that compromised its clients'...

Critical Flaw In Confluence Server Let Attackers Execute Arbitrary Code

The widely used team workspace corporate wiki Confluence has been discovered to have a...

Threat Actors Leverage Bitbucket Artifacts to Breach AWS Accounts

In a recent investigation into Amazon Web Services (AWS) security breaches, Mandiant uncovered a...

Hackers Breached Western Sydney University Microsoft 365 & Sharepoint Environments

Western Sydney University has informed approximately 7,500 individuals today of an unauthorized access incident...

Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud

Memcyco Inc., provider of digital trust technology designed to protect companies and their customers...

DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread...

Critical Memory Corruption In Cloud Logging Infrastructure Enables Code Execution Attack

A new critical vulnerability has been discovered in Fluent Bit's built-in HTTP server, which...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles