Recently, some threat actors distributed their malware by abusing Yandex.Direct and hosted it on GitHub. The group used two well-known backdoors — Buhtrap and RTM — as well as ransomware and cryptocurrency stealers. Malicious ads were posted through Yandex.Direct, aimed at redirecting a potential target to a website offering malicious downloads disguised as document templates.
The user must run the executable in order for it to work. Moreover, the cryptocurrency addresses associated with the ransom payment of this campaign are encrypted using RC4.
Indicators of Compromise
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)