Hackers Use GitHub to Host Malware to Attack Victims by Abusing Yandex Owned Legitimate ad Service

Threat actors distribute malware by posting malicious ads that redirect users to the websites that offering malicious downloads disguised as document templates.

The hacker group abused Yandex.Direct, an online advertising network to post the malvertising campaign and the malware hosted on GitHub.

According to ESET Research team report, the campaign distributes the well-known Buhtrap and RTM along with the ransomware and cryptocurrency stealers. The campaign primarily targeted organizations in Russia.

The campaign primarily targets corporate accounting departments, where attackers lure the targets searching for keywords download invoice template, contract example or contract form and to compromise their computers.

By displaying the ad banners in legitimate accounting forum, the attackers drive the potential victims to the malicious website.

Attackers tie different payloads together and they hosted all the malicious files in two different GitHub repositories.

“Moreover, the cybercriminals put the malicious files on their GitHub repository only for a limited period of time, probably while the ad campaign was active, else the payload on GitHub was an empty zip file or a clean executable.”

ESET researchers observed the campaigns started in late October 2018 and is still active and they observed six different malware families being hosted on GitHub.

They have signed the malicious files with multiple code-signing certificates to show users that they are installing the genuine product and not the tampered one.

Following are a list of the malware and the list of certificates used.

The component Win32/Filecoder.Buhtrap has ransomware behavior, it primarily targeted database management systems. once this malware triggered it encrypts all the files.

Win32/ClipBanker focuses on the clipboard, it checks for the cryptocurrency addresses, if it founds any cryptocurrency addresses it replaces them with the one belongs to threat actor.

Win32/RTM is a banking trojan aims in extracting the financial details from the infected victims’ machine. The trojan was written in Delphi language.

Researchers observed two cases with Buhtrap backdoor, in the first case “backdoor is loaded directly in memory, not using the usual DLL side-loading trick and second, they changed the RC4 key used to encrypt network traffic to the C&C server.”

The heavily obfuscated Android component Android/Spy.Banker that hosted on GitHub has following capabilities that include Record microphone, Take a screenshot, Get GPS position, Log keystrokes, Encrypt device data and demand ransom and Send spam.

MSIL/ClipBanker.IH is a Windows executable that hijacks the clipboard capabilities and targets a wide range of cryptocurrencies as well as Steam trade offers. It uses iplogger.org as an exfiltration channel to capture the WIF private key.

Researchers contacted the Yandex, GitHub and the malvertising campaign and the hosted malware has been removed.

Indicators of Compromise (IoCs)

79B6EC126818A396BFF8AD438DB46EBF8D1715A1	hashfish.exe
11434828915749E591254BA9F52669ADE580E5A6	hashfish.apk
BC3EE8C27E72CCE9DB4E2F3901B96E32C8FC5088	hashfish.exe
CAF8ED9101D822B593F5AF8EDCC452DD9183EB1D	btctradebot.exe
B2A1A7B3D4A9AED983B39B28305DD19C8B0B2C20	blanki.exe
1783F715F41A32DAC0BAFBBDF70363EC24AC2E37	blanki.exe
291773D831E7DEE5D2E64B2D985DBD24371D2774	blanki.exe
4ADD8DCF883B1DFC50F9257302D19442F6639AE3	masterblankov24.exe
790ADB5AA4221D60590655050D0FBEB6AC634A20	masterblankov24.exe
E72FAC43FF80BC0B7D39EEB545E6732DCBADBE22	vseblanki24.exe
B45A6F02891AA4D7F80520C0A2777E1A5F527C4D	vseblanki24.exe
0C1665183FF1E4496F84E616EF377A5B88C0AB56	vseblanki24.exe
81A89F5597693CA85D21CD440E5EEAF6DE3A22E6	vseblanki24.exe
FAF3F379EB7EB969880AB044003537C3FB92464C	vseblanki24.exe
81C7A225F4CF9FE117B02B13A0A1112C8FB3F87E	master-blankov24.exe
ED2BED87186B9E117576D861B5386447B83691F2	blanki.exe
6C2676301A6630DA2A3A56ACC12D66E0D65BCF85	blanki.exe
4B8A445C9F4A8EA24F42B9F80EA9A5E7E82725EF	mir_vseh_blankov_24.exe
A390D13AFBEFD352D2351172301F672FCA2A73E1	master_blankov_300.exe
1282711DED9DB140EBCED7B2872121EE18595C9B	sbornik_dokumentov.exe
372B4458D274A6085D3D52BA9BE4E0F3E84F9623	sbornik_dokumentov.exe
9DE1F602195F6109464B1A7DEAA2913D2C803362	nike.exe

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Hackers Abuse GitHub Service to Host Variety of Phishing Kits to Steal Login Credentials

Hackers Exploiting More than 9000 Cisco RV320/RV325 Routers After POC published in GitHub

GitHub Announces Unlimited Private Repositories For Free Plan

Gentoo Linux GitHub Account Hacked, Attackers Modified Repositories