What better way than to target accountants as they search the Internet for documents related to their work? In incidents over the past few months, a group has been found to target different organizations in various locations, primarily Russia, using two known backdoors (Buhtrap and RTM) as well as cryptocurrency theft with ransomware.
Targeting is accomplished by sending harmful advertisements through Yandex.Direct with the aim of redirecting the potentially target to a website with malicious downloads disguised as document templates. Yandex is known as the largest search engine on the Internet in Russia. Yandex.Direct is its online advertising network. As Eset, we contacted Yandex and they removed this harmful ad campaign.
While the source code of the Buhtrap backdoor has been leaked in the past and is available to everyone, at least the RTM code is not in this case as far as we know. In this article, we will explain how threat actors distribute their malware by abusing the Yandex.Direct administration and hosting it on GitHub. We will conclude the explanation with a technical analysis of the malware used.
Distribution mechanism and victims
What binds different charges together is how they are distributed. All malicious files created by cybercriminals were hosted in two different GitHub repositories.
Usually only one malicious file could be downloaded from this source, but this changed frequently. The change history was available in the GitHub repository, allowing us to see which malware was deployed and when.
Besides the malicious file names, the design of the website was also very clear. It’s all about forms, templates, and contracts. The name of the fake software translates as “2018 Draft Collection: forms, templates, contracts, samples”.
Given that Buhtrap and RTM have been used to target accounting units in the past, we quickly realized that a similar strategy was being pursued. But how were potential victims redirected to the website?
To read the full report written by the ESET Research team, you can visit the link here.