ESET uncovered malicious campaign distributed via major advertising platform in Russia
Created: 2019-04-30 13:00:00
MONTREAL and BRATISLAVA — ESET researchers have discovered a campaign targeting Yandex users via malicious search results. Yandex is often described as a Russian binary to search giant Google.
Visitors who searched for templates, forms and how-to videos on Yandex, the largest Russian language search engine on the internet, were directed to a GitHub page that served them various types of malware.
Similarly, users visiting specialized forums were targeted with advertisements luring them to a malicious website that, just like the abovementioned GitHub repository, served malware. In all cases, the malware was bound to user access points for forms, templates and contracts, all of which were trojanized.
“In short, those users who sought to make their work easier ended up making their lives harder due to the methods employed by this campaign,” commented Jean-Ian Boutin, ESET senior researcher.
Figure 1 - One of the malvertising campaign’s landing pages, this one named “Collection of Templates 2018: Forms, templates, contracts, samples,” that served trojanized documents.
Based on ESET’s notice, Yandex.Direct, the Russian internet giant’s advertising arm, stopped the malvertising. The GitHub repositories used for this malware campaign currently contain only a few benign files. The landing page shown above was still up just days ago and serving trojanized documents.
Due to the fact that the attackers used GitHub, where the repositories’ change history is publicly available, it is possible to see which malware was distributed at any given time. There were six different malware families hosted on GitHub during this campaign. Among them were two well-known backdoors, Buhtrap and RTM, both of which are banking trojans.
“This campaign is a good example of how legitimate advertising services can be abused to distribute malware. While this campaign specifically targets Russian organizations, we wouldn’t be surprised if such a scheme was used to leverage non-Russian ad services,” concludes Boutin.
ESET researchers recommend that users always verify that the source they select to download software is a well-known and reputable software distributor in order to avoid being caught by such a scam.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.