ESET researchers have observed a new malvertising campaign that leverages Yandex.Direct network to distribute malware onto victims’ computers and steal cryptocurrency. Yandex.Direct is an online advertising network based in Russia.
Who are the targets?
This malvertising campaign mainly targeted Russian organizations to compromise accountants’ computers.
How does the malvertising campaign work?
Worth noting
Attackers posted malicious ads through the Yandex.Direct service to websites that were likely to be visited by accountants searching for specific terms such as ‘download invoice template’, ‘claim complaint example’, ‘contract example’, ‘contract form’, ‘judicial petition example’, and more.
Multiple code-signing certificates
The malware payloads have been signed by multiple code-signing certificates. However, the attackers failed to systematically sign the binaries that they have pushed to the git repository. In fact, the attackers have also used invalid signatures with a certificate belonging to Google that did not have a private key.
What’s the response?
Researchers notified Yandex about the campaign, and the company has removed the malvertising campaign from its advertising network.
“This campaign is a good example of how legitimate ad services can be abused to distribute malware. While this campaign specifically targets Russian organizations, we wouldn’t be surprised if such a scheme were used abusing non-Russian ad services. To avoid being caught by such a scam, users should always make sure the source from where they download software is a well-known, reputable software distributor,” ESET researchers said in a blog.
Publisher