Malvertising Scheme
News | 05/02/2019

Hackers Propagate Malvertising Scheme via GitHub

About: Yandex.Direct, a Russian Online Marketing Service is reported to have recently been compromised via a Malvertising Attack that delivered Banking Trojans & Ransomware on the victim’s PC. The potential victims searching for contract based documents w...  Read More  

| News | Hackers Propagate Malvertising Scheme via GitHub

Yandex.Direct Compromised with Malvertising Attack via GitHub

Cyber Crooks have recently been reported to exploit Yandex.Direct, a Russian Online Marketing Service via malign advertising campaign. This Malvertising scheme is supplying malevolent ads & targeting a large number of Russian accountants with the sole motive of transmitting Ransomware & Banking Trojans to them.

This colossal Malvertising Attack is propagating a plethora of malware that has specifically been designed to encipher user’s data & whip Cryptocurrency.

Cyber Security analysts from ESET, an IT Security Company headquartered in Slovakia, have found around 6 malware agendas associated with this ongoing Malvertising scheme. From the past few months the hacking group is targeting Russian organizations & using two renowned backdoors namely- Buhtrap & RTM along with Cryptocurrency Stealers & Ransomware.

GitHub Temp1

The Malvertising scheme primarily targeted commercial accounting branches by fastening malevolent adverts through Yandex.Direct. The attackers compromised the systems of users searching for contract examples & contract forms by redirecting them to websites offering spiteful downloads masqueraded as doc templates.

Insight into the Distribution Mechanism Implemented by Attackers

Researchers of Slovakian IT Firm- ESET disclosed that the potential targets searching for keywords like download invoice template, example of legal contracts were enticed to the Malvertising scheme ridden pages. It is evident that the corporate entities were at the target of this malvertising campaign that rendered the accountant’s systems compromised.

The attackers smartly knotted different payloads together & swarmed all the malicious files on 2 diverse GitHub repositories. However, the files were left on the repository for a restricted time-frame only, that too when the Ad Drive was active. It was found that most of the times GitHub Payload was left with an empty ZIP File or a clean .EXE.

This Malvertising Campaign is reported to have launched in October 2018 & has continued invading the accountant’s systems since then. Six different malware families are being horded on the GitHub Repository.

Researchers found that cyber crooks were able to ensnare the victims to download the malevolent files through a website. The website’s blueprint & spiteful file names given by the fraudsters were quite beguiling- contained information about form samples, templates, contract samples etc.

The fake software mentioned on the website reads as – “Collection of templates 2018: forms, templates, contracts & samples.”

Payloads & Data Collection

The Cyber Crooks smartly implemented all the 6 malware payloads on the GitHub repository by frequently switching between these. Fortunately, researchers were able to find which malware payload was distributed at any particular time by accessing the Change History of Repository.

It was observed that hackers validated most of the malicious files with multiple code-signing certificates to take the users into confidence that they are instating a genuine product on to their systems. Surprisingly, despite of having right to use the classified keys of certificates, hackers did not sign all the malware executed at the Repository.

After a thorough investigation of the code-signing certificates, a perceptible overlap of implemented malware with other malign operations was found. This helped the researchers reach a conclusion that the operators behind the campaign bought the malware from the same distribution channel.

Few of the malware implemented by the malware include ClipBanker Trojan, Buhtrap Banking Trojan & RTM Banking Trojan.

The Ransomware Behavior of Buhtrap

One of the modules of Buhtrap (Win32/Filecoder.Buhtrap) discovered during the investigation of the malware dropped in Malvertising Scheme has shown Ransomware behavior.

This new Delphi-based malware propagated from February to March 2019 & mainly targets the database management systems, discovers the local drives & network shares and encrypts all the data/files detected on these devices.

Surprisingly, this devious Ransomware does not need an active internet connection to encode the files on victim’s PC.

Following the successful encryption of the files, Filecoder.Buhtrap adds a token to the Ransom Note which covers the screen of the compromised system. The victims are asked to contact the attackers via Bit message or e-mail to receive further instructions in order to get the encrypted data retrieved.

Threats imposed by Banking Trojans

ClipBanker Trojan-

The component Win32/ClipBanker of the ClipBanker Trojan is said to have distributed at a large scale from October 2018 to December 2018. It focused on the victim’s clipboard, checking for the Cryptocurrency Addresses & automatically replaced it with the one controlled by the Hackers.

Another variant of this Banking Trojan labeled as ClipBanker.IH aimed at Steam Trade Offers & pulled back Bitcoin WIF confidential keys & Core Wallets and other Electrum Cryptocurrency Wallets via IP Logger Service.


RTM Banking Trojan

The RTM banking Trojan was dropped in early February 2019. Its threat behavior & smart capabilities have been explained by the researchers at ESET & Palo Alto Networks.

This Trojan possesses:

  • Banking-Oriented Monitoring Competence
  • Smart Card Reader Overseeing Proficiency
  • Keylogging & Screen-shot Modules

The Trojan is reported to have collecting the sensitive information (financial details) of the victims & transmitting it to its developers.


A recent web security report revealed that Yandex disabled this malvertising malware campaign following the alert about pernicious adverts that were leading the users to malware laden websites.

Hits: 114

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866