- BUHTRAP SILENT INSTALLATION LITEMANAGER ZIP FILE
- BUHTRAP SILENT INSTALLATION LITEMANAGER UPDATE
- BUHTRAP SILENT INSTALLATION LITEMANAGER SOFTWARE
- BUHTRAP SILENT INSTALLATION LITEMANAGER CODE
This malware campaign started in late October 2018 and is still active at time of writing. Let’s now take a look at the different payloads that were distributed this way. To summarize, the cybercriminals were able to distribute ads through the Yandex.Direct service to websites that were likely to be visited by accountants searching for specific terms.
BUHTRAP SILENT INSTALLATION LITEMANAGER ZIP FILE
Most of the time, the payload on GitHub was an empty zip file or a clean executable. Moreover, the cybercriminals put the malicious files on their GitHub repository only for a limited period of time, probably while the ad campaign was active. An ad pointing to a professional-looking website with a link to GitHub is not something obviously bad. The blanki-shabloni24ru website was probably set up in this way to survive basic scrutiny. Search terms used and domains where the banners were displayed A list of the websites where the banners and the related search term appeared is shown in Table 1. From the URL, we can also see what the user was searching for – “скачать бланк счета” or “download invoice template” – reinforcing our hypothesis that organizations are targeted. It is important to note here that these banners appeared on several different websites, all with the same campaign id (blanki_rsya) and most of them related to accounting or legal aid services. We can see in the URL that a banner ad was posted on bb.f2kz, which is a legitimate accounting forum. Below you can see an example of a redirect URL to the malicious website: But how were potential victims directed to the website? Infection campaignsĪt least some of the potential victims who ended up on this website were lured there through malvertising.
Given the fact that Buhtrap and RTM have been used in the past to target accounting departments, we immediately believed that a similar strategy was at play.
BUHTRAP SILENT INSTALLATION LITEMANAGER SOFTWARE
The fake software name translates to: “Collection of Templates 2018: forms, templates, contracts, samples”. The website design as well as all malicious filenames were quite revealing: they were all about forms, templates and contracts. One way victims would be lured into downloading these malicious files was through a website, blanki-shabloni24ru, as shown in Figure 1.įigure 1. Since change history is available from the GitHub repository, it allows us to know which malware was distributed at any given time. There was usually only one malicious file downloadable from the repo, but it would change frequently. The link that ties the different payloads together is how they were distributed: all malicious files created by the cybercriminals were hosted on two different GitHub repositories.
We will conclude with a technical analysis of the malware used. In this blog, we will describe how the threat actors distributed their malware by abusing Yandex.Direct and hosted it on GitHub.
BUHTRAP SILENT INSTALLATION LITEMANAGER CODE
While the Buhtrap backdoor source code has been leaked in the past and can thus be used by anyone, RTM code has not, at least to our knowledge. We’ve contacted Yandex and they removed this malvertising campaign. Yandex.Direct is its online advertising network. Yandex is known to be the largest search engine on the internet in Russia. The targeting was made possible by posting malicious ads through Yandex.Direct, in an attempt to redirect a potential target to a website offering malicious downloads disguised as document templates. What better way to target accountants than to target them as they search the web, looking for documents pertinent to their job? This is just what has been happening for the past few months, where a group using two well-known backdoors - Buhtrap and RTM - as well as ransomware and cryptocurrency stealers, has targeted organizations, mainly in Russia. This should minimize any additional confusion and be more in sync with other publications describing the same ransomware. Therefore, we have decided to change our original detection name for this ransomware to Win32/Filecoder.Buran.
BUHTRAP SILENT INSTALLATION LITEMANAGER UPDATE
UPDATE (November 6, 2019): Although the ransomware distributed in this campaign exhibits links with other Buhtrap malware, we now believe that it is not linked with the original Buhtrap group. Criminal activities against accountants on the rise – Buhtrap and RTM still active
0 kommentar(er)
