Hackers Use GitHub to Host Malware to Attack Victims by Abusing Yandex Owned Legitimate ad Service

Threat actors distribute malware by posting malicious ads that redirect users to the websites that offering malicious downloads disguised as document templates.

The hacker group abused Yandex.Direct, an online advertising network to post the malvertising campaign and the malware hosted on GitHub.

According to ESET Research team report, the campaign distributes the well-known Buhtrap and RTM along with the ransomware and cryptocurrency stealers. The campaign primarily targeted organizations in Russia.

The campaign primarily targets corporate accounting departments, where attackers lure the targets searching for keywords download invoice template, contract example or contract form and to compromise their computers.

By displaying the ad banners in legitimate accounting forum, the attackers drive the potential victims to the malicious website.

Attackers tie different payloads together and they hosted all the malicious files in two different GitHub repositories.

“Moreover, the cybercriminals put the malicious files on their GitHub repository only for a limited period of time, probably while the ad campaign was active, else the payload on GitHub was an empty zip file or a clean executable.”

ESET researchers observed the campaigns started in late October 2018 and is still active and they observed six different malware families being hosted on GitHub.

They have signed the malicious files with multiple code-signing certificates to show users that they are installing the genuine product and not the tampered one.

Following are a list of the malware and the list of certificates used.

The component Win32/Filecoder.Buhtrap has ransomware behavior, it primarily targeted database management systems. once this malware triggered it encrypts all the files.

Win32/ClipBanker focuses on the clipboard, it checks for the cryptocurrency addresses, if it founds any cryptocurrency addresses it replaces them with the one belongs to threat actor.

Win32/RTM is a banking trojan aims in extracting the financial details from the infected victims’ machine. The trojan was written in Delphi language.

Researchers observed two cases with Buhtrap backdoor, in the first case “backdoor is loaded directly in memory, not using the usual DLL side-loading trick and second, they changed the RC4 key used to encrypt network traffic to the C&C server.”

The heavily obfuscated Android component Android/Spy.Banker that hosted on GitHub has following capabilities that include Record microphone, Take a screenshot, Get GPS position, Log keystrokes, Encrypt device data and demand ransom and Send spam.

MSIL/ClipBanker.IH is a Windows executable that hijacks the clipboard capabilities and targets a wide range of cryptocurrencies as well as Steam trade offers. It uses iplogger.org as an exfiltration channel to capture the WIF private key.

Researchers contacted the Yandex, GitHub and the malvertising campaign and the hosted malware has been removed.

Indicators of Compromise (IoCs)

79B6EC126818A396BFF8AD438DB46EBF8D1715A1hashfish.exe
11434828915749E591254BA9F52669ADE580E5A6hashfish.apk
BC3EE8C27E72CCE9DB4E2F3901B96E32C8FC5088hashfish.exe
CAF8ED9101D822B593F5AF8EDCC452DD9183EB1Dbtctradebot.exe
B2A1A7B3D4A9AED983B39B28305DD19C8B0B2C20blanki.exe
1783F715F41A32DAC0BAFBBDF70363EC24AC2E37blanki.exe
291773D831E7DEE5D2E64B2D985DBD24371D2774blanki.exe
4ADD8DCF883B1DFC50F9257302D19442F6639AE3masterblankov24.exe
790ADB5AA4221D60590655050D0FBEB6AC634A20masterblankov24.exe
E72FAC43FF80BC0B7D39EEB545E6732DCBADBE22vseblanki24.exe
B45A6F02891AA4D7F80520C0A2777E1A5F527C4Dvseblanki24.exe
0C1665183FF1E4496F84E616EF377A5B88C0AB56vseblanki24.exe
81A89F5597693CA85D21CD440E5EEAF6DE3A22E6vseblanki24.exe
FAF3F379EB7EB969880AB044003537C3FB92464Cvseblanki24.exe
81C7A225F4CF9FE117B02B13A0A1112C8FB3F87Emaster-blankov24.exe
ED2BED87186B9E117576D861B5386447B83691F2blanki.exe
6C2676301A6630DA2A3A56ACC12D66E0D65BCF85blanki.exe
4B8A445C9F4A8EA24F42B9F80EA9A5E7E82725EFmir_vseh_blankov_24.exe
A390D13AFBEFD352D2351172301F672FCA2A73E1master_blankov_300.exe
1282711DED9DB140EBCED7B2872121EE18595C9Bsbornik_dokumentov.exe
372B4458D274A6085D3D52BA9BE4E0F3E84F9623sbornik_dokumentov.exe
9DE1F602195F6109464B1A7DEAA2913D2C803362nike.exe

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Hackers Abuse GitHub Service to Host Variety of Phishing Kits to Steal Login Credentials

Hackers Exploiting More than 9000 Cisco RV320/RV325 Routers After POC published in GitHub

GitHub Announces Unlimited Private Repositories For Free Plan

Gentoo Linux GitHub Account Hacked, Attackers Modified Repositories

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

1 day ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

1 day ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

1 day ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

1 day ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

3 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

3 days ago