​Malvertising campaign targeting accountants distributes six different malware families

• This malvertising campaign targeted Russian organizations with an aim to compromise accountants’ computers.
• The six different malware families such include Buhtrap banking trojan, RTM banking trojan, Clipbanker trojan, VegaLocker ransomware, and cryptocurrency miners.

ESET researchers have observed a new malvertising campaign that leverages Yandex.Direct network to distribute malware onto victims’ computers and steal cryptocurrency. Yandex.Direct is an online advertising network based in Russia.

Who are the targets?

This malvertising campaign mainly targeted Russian organizations to compromise accountants’ computers.

How does the malvertising campaign work?

• Malicious ads are posted on Yandex.Direct ad network and victims clicking on the ads will be redirected to malicious websites.
• These websites will have a link to Github that contain malicious files on the repository.
• The files hosted are either an empty zip file or a clean executable.
• These malicious files distribute six different malware families such as Buhtrap banking trojan, RTM banking trojan, Clipbanker trojan, VegaLocker ransomware, and cryptocurrency miners.

Worth noting

Attackers posted malicious ads through the Yandex.Direct service to websites that were likely to be visited by accountants searching for specific terms such as ‘download invoice template’, ‘claim complaint example’, ‘contract example’, ‘contract form’, ‘judicial petition example’, and more.

Multiple code-signing certificates

The malware payloads have been signed by multiple code-signing certificates. However, the attackers failed to systematically sign the binaries that they have pushed to the git repository. In fact, the attackers have also used invalid signatures with a certificate belonging to Google that did not have a private key.

What’s the response?

Researchers notified Yandex about the campaign, and the company has removed the malvertising campaign from its advertising network.

“This campaign is a good example of how legitimate ad services can be abused to distribute malware. While this campaign specifically targets Russian organizations, we wouldn’t be surprised if such a scheme were used abusing non-Russian ad services. To avoid being caught by such a scam, users should always make sure the source from where they download software is a well-known, reputable software distributor,” ESET researchers said in a blog.