You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Malware and Vulnerabilities
- Malvertising campaign targeting accountants distributes six different malware families

Malvertising campaign targeting accountants distributes six different malware families
Malvertising campaign targeting accountants distributes six different malware families- May 1, 2019
- |
- Malware and Vulnerabilities
/https://cystory-images.s3.amazonaws.com/shutterstock_407112565.jpg)
- This malvertising campaign targeted Russian organizations with an aim to compromise accountants’ computers.
- The six different malware families such include Buhtrap banking trojan, RTM banking trojan, Clipbanker trojan, VegaLocker ransomware, and cryptocurrency miners.
ESET researchers have observed a new malvertising campaign that leverages Yandex.Direct network to distribute malware onto victims’ computers and steal cryptocurrency. Yandex.Direct is an online advertising network based in Russia.
Who are the targets?
This malvertising campaign mainly targeted Russian organizations to compromise accountants’ computers.
How does the malvertising campaign work?
- Malicious ads are posted on Yandex.Direct ad network and victims clicking on the ads will be redirected to malicious websites.
- These websites will have a link to Github that contain malicious files on the repository.
- The files hosted are either an empty zip file or a clean executable.
- These malicious files distribute six different malware families such as Buhtrap banking trojan, RTM banking trojan, Clipbanker trojan, VegaLocker ransomware, and cryptocurrency miners.
Worth noting
Attackers posted malicious ads through the Yandex.Direct service to websites that were likely to be visited by accountants searching for specific terms such as ‘download invoice template’, ‘claim complaint example’, ‘contract example’, ‘contract form’, ‘judicial petition example’, and more.
Multiple code-signing certificates
The malware payloads have been signed by multiple code-signing certificates. However, the attackers failed to systematically sign the binaries that they have pushed to the git repository. In fact, the attackers have also used invalid signatures with a certificate belonging to Google that did not have a private key.
What’s the response?
Researchers notified Yandex about the campaign, and the company has removed the malvertising campaign from its advertising network.
“This campaign is a good example of how legitimate ad services can be abused to distribute malware. While this campaign specifically targets Russian organizations, we wouldn’t be surprised if such a scheme were used abusing non-Russian ad services. To avoid being caught by such a scam, users should always make sure the source from where they download software is a well-known, reputable software distributor,” ESET researchers said in a blog.
Get such articles in your inbox
News
-
Previous News Partners In Care suffered a phishing attack exposing patients’ medical information
- May 1, 2019
- |
- Breaches and Incidents
Popular News
Related News
Categories
Get such articles in your inbox
News
-
Previous News Partners In Care suffered a phishing attack exposing patients’ medical information
- May 1, 2019
- |
- Breaches and Incidents
Popular News
Related News
Categories
