The Chthonic Banking Trojan Propagated via PayPal

Hijacked or newly created PayPal accounts are being leveraged and embroiled in the Chthonic Banking Trojan distribution campaign, analysts from Proofpoint security company alarm.

In the course of this campaign, cybercriminals are abusing the PayPal service to request money from victims. Users receive a “You’ve got a money request” email which misleads them to think of it as a legit because it was sent by PayPal.

Proofpoint states that these emails are not actually falsified and they are not likely to be detected by spam filters. That’s why they manage to arrive their desired destination – the user`s inbox. It is not clear yet if these spam messages are automatically or manually sent but the experts confirmed that the reliable PayPal service is involved in malware propagation.

When opening the money request email, the victim sees a message claiming that an illegal $100 have been transferred to their bank account and that the money should be returned as soon as possible. There is a link in the email which should be leading to a screenshot with more detailed information about the transaction and a curious and surprised user would click on it no learn more.

PayPal’s money request feature allows adding a note along with the request, where the attacker crafted a personalized message and included a malicious URL. In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both.” Proofpoint notes.

What link actually does is redirecting the victim to katyaflash[.]com/pp.php where JavaScript file called paypalTransactionDetails.jpeg.js is automatically downloaded onto the device. An attempt for this file to be opened leads to the download of another file from wasingo[.]info/2/flash.exe.

The second downloaded file is the Chthonic Banking Trojan which is an improved version of the Zeus malware. The Trojan is noted to connect to a C&C server at kingstonevikte[.]com and to be downloading a second payload – the unregistered AZORult malware.

Fortunately, the illicit Trojan campaign was spotted quickly enough and only a few users had clicked on the vicious link. PayPal was immediately alarmed of the problem and measures were taken. Anyway, researchers and experts are just as intrigued as they are concerned.

All this is just another way for cybercriminals to show that they are ready and, most importantly capable, to come up with more and more innovative and creative ideas to go around anything that stands in their way. It doesn’t matter if it is a spam filter, a security defender, an anti-virus program or something else, they won`t stop until they bypass it.

For users without anti-malware services that can detect compromised links in emails and/or phone homes to a C&C, the potential impact is high. At the same time, the combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source creates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload,” Proofpoint notes.

PayPal works hard to protect customers and security is a top priority for our company. Based on information we received regarding a possible way to use our request money feature to send spoof or phishing emails, we put additional security protocols in place to safeguard our customers. These protocols recently identified some anomalous usage of this feature and we are aware that attempts were made to use the request money feature to distribute malware to a small number of our customers. We have put measures in place in an effort to prevent the misuse of this feature. We are continuing to carefully monitor the situation and will reach out to any impacted customers.”, Paypal spokesperson stated.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.