Cybercriminals are abusing the Yandex.Direct online advertising service in order to serve up malicious ads that target Russian accountants with the goal of infecting them with banking trojans and ransomware.

Researchers from ESET have so far linked six malware programs to this campaign, which began in October and continues to this day. During periods of active distribution, these malware programs were hosted on two different GitHub repositories. When the campaign was dormant, the repositories would instead host harmless files. At times the malware files were signed with multiple code-signing certificates; other times, the attackers didn’t bother or used invalid signatures.

Particularly noteworthy among the half-dozen malware programs was a previously undiscovered ransomware program identified as Win32/Filecoder.Buhtrap. Buhtrap is a cybercriminal group known to attack banks and the financial sector, and this apparently could be one of its newer weapons.

The malicious encryptor was distributed primarily last February and March, according to ESET in a company
blog post published today. Rather than communicating with an internet-connected C&C server, it instead appends a token at the end of its ransom message and instructs victims to communicate via email or Bitmessage.

“To encrypt as many important resources as possible, Filecoder.Buhtrap starts a thread dedicated to killing key software that might have open handles on files containing valuable data, thus preventing them [from] being encrypted,” ESET explains. “The targeted processes are mainly database management systems (DBMS). Furthermore, Filecoder.Buhtrap removes log files and backups, to make it as difficult as possible for victims without any offline backups to recover their files.”

ESET has identified the malvertising campaign’s other malware programs as:

  • The Buhtrap downloader, which retrieves second second-stage code a malicious URL and loads it directly into memory. ESET notes that the downloader was not similar to malicious tools previously associated with the Buhtrap group.
  • Win32/ClipBanker and MSIL/ClipBanker.IH, two variants of a clipper malware program that monitors clipboard content for cryptocurrency addresses and replaces it with the attackers’ address so they can steal digital funds. The former malware was distributed from the end of October to early December 2018, while the latter was distributed in March 2019.
  • Win32/RTM, a Delphi-based banking trojan that targets remote banking systems. It was distributed for a few days in early March.
  • Android/Spy.Banker, a malicious Android Application Package that contains Anubis, a credential-stealing banking malware capable of various spyware functions and even malicious encryption for ransom purposes. It doesn’t appear to ever have been actively distributed, but it was spotted on the GitHub master branch for one day, on Nov. 1, 2018.

Victims were tricked into downloading these malware programs shortly after clicking on shady banner ads that offered accounting or legal services, but in actuality redirected visitors to a malicious .ru landing page. The attackers compromised the Yandex.Direct service to display these malvertisements on compromised legitimate domains, which accountants typically would visit after executing online searches such as “download invoice template,” “contract example,” “claim complaint example” and “contract form.”

The professional-looking but phony .ru web page purported to offer links to downloadable forms, templates and contracts used by accountants. But the only thing the victims actually download is malware, from one of the GitHub repositories.

Yandex, which also operates Russia’s largest search engine, removed the malvertising campaign after being notified of the threat, ESET reports.

“This campaign is a good example of how legitimate ad services can be abused to distribute malware. While this campaign specifically targets Russian organizations, we wouldn’t be surprised if such a scheme were used abusing non-Russian ad services,” the blog post concludes. “To avoid being caught by such a scam, users should always make sure the source from where they download software is a well-known, reputable software distributor.”