MONTREAL and BRATISLAVA — ESET researchers have discovered a campaign targeting Yandex users via malicious search results. Yandex is often described as a Russian binary to search giant Google.
Visitors who searched for templates, forms and how-to videos on Yandex, the largest Russian language search engine on the internet, were directed to a GitHub page that served them various types of malware.
Similarly, users visiting specialized forums were targeted with advertisements luring them to a malicious website that, just like the abovementioned GitHub repository, served malware. In all cases, the malware was bound to user access points for forms, templates and contracts, all of which were trojanized.
“In short, those users who sought to make their work easier ended up making their lives harder due to the methods employed by this campaign,” commented Jean-Ian Boutin, ESET senior researcher.
Figure 1 - One of the malvertising campaign’s landing pages, this one named “Collection of Templates 2018: Forms, templates, contracts, samples,” that served trojanized documents.
Based on ESET’s notice, Yandex.Direct, the Russian internet giant’s advertising arm, stopped the malvertising. The GitHub repositories used for this malware campaign currently contain only a few benign files. The landing page shown above was still up just days ago and serving trojanized documents.
Due to the fact that the attackers used GitHub, where the repositories’ change history is publicly available, it is possible to see which malware was distributed at any given time. There were six different malware families hosted on GitHub during this campaign. Among them were two well-known backdoors, Buhtrap and RTM, both of which are banking trojans.
“This campaign is a good example of how legitimate advertising services can be abused to distribute malware. While this campaign specifically targets Russian organizations, we wouldn’t be surprised if such a scheme was used to leverage non-Russian ad services,” concludes Boutin.
ESET researchers recommend that users always verify that the source they select to download software is a well-known and reputable software distributor in order to avoid being caught by such a scam.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.