Threat actors distribute malware by posting malicious ads that redirect users to the websites that offering malicious downloads disguised as document templates.
The hacker group abused Yandex
According to ESET Research team report, the campaign distributes the well-known Buhtrap and RTM along with the ransomware and cryptocurrency stealers. The campaign primarily targeted organizations in Russia.
The campaign primarily targets corporate accounting departments, where attackers lure the targets searching for keywords download invoice template, contract example or contract form and to compromise their computers.
By displaying the ad banners in legitimate accounting forum, the attackers drive the potential victims to the malicious website.
Attackers tie different payloads together and they hosted all the malicious files in two different GitHub repositories.
“Moreover, the cybercriminals put the malicious files on their GitHub repository only for a limited period of time, probably while the ad campaign was active, else the payload on GitHub was an empty zip file or a clean executable.”
ESET researchers observed the campaigns started in late October 2018 and is still active and they observed six different malware families being hosted on GitHub.
They have signed the malicious files with multiple code-signing certificates to show users that they are installing the genuine product and not the tampered one.
Following are a list of the malware and the list of certificates used.
The component Win32/Filecoder.Buhtrap has ransomware behavior, it primarily targeted database management systems. once this malware triggered it encrypts all the files.
Win32/ClipBanker focuses on the clipboard, it checks for the cryptocurrency addresses, if it founds any cryptocurrency addresses it replaces them with the one belongs to threat actor.
Win32/RTM is a banking trojan aims in extracting the financial details from the infected victims’ machine. The trojan was written in Delphi language.
Researchers observed two cases with Buhtrap backdoor, in the first case “backdoor is loaded directly in memory, not using the usual DLL side-loading trick and second, they changed the RC4 key used to encrypt network traffic to the C&C server.”
The heavily obfuscated Android component Android/Spy.Banker that hosted on GitHub has following capabilities that include Record microphone, Take a screenshot, Get GPS position, Log keystrokes, Encrypt device data and demand ransom and Send spam.
MSIL/ClipBanker.IH is a Windows executable that hijacks the clipboard capabilities and targets a wide range of cryptocurrencies as well as Steam trade offers. It uses iplogger.org as an exfiltration channel to capture the WIF private key.
Researchers contacted the Yandex, GitHub and the malvertising campaign and the hosted malware has been removed.
Download Free E-book to learn about complete Enterprise Security Implementation & Mitigation Steps – Download Free-Ebook Here.
Indicators of Compromise (IoCs)