ESET researchers have discovered a campaign targeting Yandex users via malicious search results. Yandex is often described as a Russian binary to search giant Google.
Visitors who searched for templates, forms and how-to videos on Yandex, the largest Russian language search engine on the internet, were directed to a GitHub page that served them various types of malware.
Similarly, users visiting specialized forums were targeted with advertisements luring them to a malicious website that, just like the abovementioned GitHub repository, served malware. In all cases, the malware was bound to user access points for forms, templates and contracts, all of which were trojanized.
Jean-Ian Boutin from ESET said that In short, those users who sought to make their work easier ended up making their lives harder due to the methods employed by this campaign.
Based on ESET’s notice, Yandex.Direct, the Russian internet giant’s advertising arm, stopped the malvertising. The GitHub repositories used for this malware campaign currently contain only a few benign files. The landing page shown above was still up just days ago and serving trojanized documents.
Due to the fact that the attackers used GitHub, where the repositories’ change history is publicly available, it is possible to see which malware was distributed at any given time. There were six different malware families hosted on GitHub during this campaign. Among them were two well-known backdoors, Buhtrap and RTM, both of which are banking trojans.
The campaign is a good example of how legitimate advertising services can be abused to distribute malware. While this campaign specifically targets Russian organizations, they wouldn’t be surprised if such a scheme was used to leverage non-Russian ad services.
ESET researchers recommend that users always verify that the source they select to download software is a well-known and reputable software distributor in order to avoid being caught by such a scam.