Cyber Crooks have recently been reported to exploit Yandex.Direct, a Russian Online Marketing Service via malign advertising campaign. This Malvertising scheme is supplying malevolent ads & targeting a large number of Russian accountants with the sole motive of transmitting Ransomware & Banking Trojans to them.
This colossal Malvertising Attack is propagating a plethora of malware that has specifically been designed to encipher user’s data & whip Cryptocurrency.
Cyber Security analysts from ESET, an IT Security Company headquartered in Slovakia, have found around 6 malware agendas associated with this ongoing Malvertising scheme. From the past few months the hacking group is targeting Russian organizations & using two renowned backdoors namely- Buhtrap & RTM along with Cryptocurrency Stealers & Ransomware.
The Malvertising scheme primarily targeted commercial accounting branches by fastening malevolent adverts through Yandex.Direct. The attackers compromised the systems of users searching for contract examples & contract forms by redirecting them to websites offering spiteful downloads masqueraded as doc templates.
Researchers of Slovakian IT Firm- ESET disclosed that the potential targets searching for keywords like download invoice template, example of legal contracts were enticed to the Malvertising scheme ridden pages. It is evident that the corporate entities were at the target of this malvertising campaign that rendered the accountant’s systems compromised.
The attackers smartly knotted different payloads together & swarmed all the malicious files on 2 diverse GitHub repositories. However, the files were left on the repository for a restricted time-frame only, that too when the Ad Drive was active. It was found that most of the times GitHub Payload was left with an empty ZIP File or a clean .EXE.
This Malvertising Campaign is reported to have launched in October 2018 & has continued invading the accountant’s systems since then. Six different malware families are being horded on the GitHub Repository.
Researchers found that cyber crooks were able to ensnare the victims to download the malevolent files through a website. The website’s blueprint & spiteful file names given by the fraudsters were quite beguiling- contained information about form samples, templates, contract samples etc.
The fake software mentioned on the website reads as – “Collection of templates 2018: forms, templates, contracts & samples.”
The Cyber Crooks smartly implemented all the 6 malware payloads on the GitHub repository by frequently switching between these. Fortunately, researchers were able to find which malware payload was distributed at any particular time by accessing the Change History of Repository.
It was observed that hackers validated most of the malicious files with multiple code-signing certificates to take the users into confidence that they are instating a genuine product on to their systems. Surprisingly, despite of having right to use the classified keys of certificates, hackers did not sign all the malware executed at the Repository.
After a thorough investigation of the code-signing certificates, a perceptible overlap of implemented malware with other malign operations was found. This helped the researchers reach a conclusion that the operators behind the campaign bought the malware from the same distribution channel.
Few of the malware implemented by the malware include ClipBanker Trojan, Buhtrap Banking Trojan & RTM Banking Trojan.
One of the modules of Buhtrap (Win32/Filecoder.Buhtrap) discovered during the investigation of the malware dropped in Malvertising Scheme has shown Ransomware behavior.
This new Delphi-based malware propagated from February to March 2019 & mainly targets the database management systems, discovers the local drives & network shares and encrypts all the data/files detected on these devices.
Surprisingly, this devious Ransomware does not need an active internet connection to encode the files on victim’s PC.
Following the successful encryption of the files, Filecoder.Buhtrap adds a token to the Ransom Note which covers the screen of the compromised system. The victims are asked to contact the attackers via Bit message or e-mail to receive further instructions in order to get the encrypted data retrieved.
The component Win32/ClipBanker of the ClipBanker Trojan is said to have distributed at a large scale from October 2018 to December 2018. It focused on the victim’s clipboard, checking for the Cryptocurrency Addresses & automatically replaced it with the one controlled by the Hackers.
Another variant of this Banking Trojan labeled as ClipBanker.IH aimed at Steam Trade Offers & pulled back Bitcoin WIF confidential keys & Core Wallets and other Electrum Cryptocurrency Wallets via IP Logger Service.
The RTM banking Trojan was dropped in early February 2019. Its threat behavior & smart capabilities have been explained by the researchers at ESET & Palo Alto Networks.
This Trojan possesses:
The Trojan is reported to have collecting the sensitive information (financial details) of the victims & transmitting it to its developers.
A recent web security report revealed that Yandex disabled this malvertising malware campaign following the alert about pernicious adverts that were leading the users to malware laden websites.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.