Cybercriminals are abusing the Yandex.Direct online advertising service in order to serve up malicious ads that target Russian accountants with the goal of infecting them with banking trojans and ransomware.
Researchers from ESET have so far linked six malware programs to this campaign, which began in October and continues to this day. During periods of active distribution, these malware programs were hosted on two different GitHub repositories. When the campaign was dormant, the repositories would instead host harmless files. At times the malware files were signed with multiple code-signing certificates; other times, the attackers didn’t bother or used invalid signatures.
Particularly noteworthy among the half-dozen malware programs was a previously undiscovered ransomware program identified as Win32/Filecoder.Buhtrap.
Buhtrap is a cybercriminal group known to attack banks and the financial sector, and this apparently could be one of its newer weapons.
The malicious encryptor was distributed primarily last February and March, according to ESET in a company
blog post published today. Rather than communicating with an internet-connected C&C server, it instead appends a token at the end of its ransom message and instructs victims to communicate via email or Bitmessage.
“To encrypt as many important resources as possible, Filecoder.Buhtrap starts a thread dedicated to killing key software that might have open handles on files containing valuable data, thus preventing them [from] being encrypted,” ESET explains. “The targeted processes are mainly database management systems (DBMS). Furthermore, Filecoder.Buhtrap removes log files and backups, to make it as difficult as possible for victims without any offline backups to recover their files.”
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
