ESET announced that it team of researchers have discovered a campaign targeting Yandex users via malicious search results. Yandex is the largest Russian language search engine on the internet and visitors who searched for templates, forms and how-to videos on Yandex, were directed to a GitHub page that served them various types of malware.
Similarly, users visiting specialized forums were targeted with advertisements luring them to a malicious website that, just like the above mentioned GitHub repository, served malware. In all cases, the malware was bound to user access points for forms, templates and contracts, all of which were trojanized.
“In short, those users who sought to make their work easier ended up making their lives harder due to the methods employed by this campaign,” commented Jean-Ian Boutin, ESET senior researcher.
Based on ESET’s notice, Yandex.Direct, the Russian internet giant’s advertising arm, stopped the malvertising. The GitHub repositories used for this malware campaign currently contain only a few benign files. The landing page shown above was still up just days ago and serving trojanized documents.
Due to the fact that the attackers used GitHub, where the repositories’ change history is publicly available, it is possible to see which malware was distributed at any given time. There were six different malware families hosted on GitHub during this campaign. Among them were two well-known backdoors, Buhtrap and RTM, both of which are banking trojans.
“This campaign is a good example of how legitimate advertising services can be abused to distribute malware. While this campaign specifically targets Russian organizations, we wouldn’t be surprised if such a scheme was used to leverage non-Russian ad services,” concludes Boutin.
ESET researchers recommend that users always verify that the source they select to download software is a well-known and reputable software distributor in order to avoid being caught by such a scam.