U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

PayPal accounts abused to distribute the Chthonic Banking Trojan

Experts from Proofpoint discovered that the Banking trojan Chthonic was distributed via ‘legitimate’ PayPal accounts by abusing the “money request” feature. The imagination of cyber criminals is a never-ending pit, according to the security firm Proofpoint, crooks are abusing PayPal to distribute the Chtonic banking trojan. Chtonic is a strain of the most notorious Zeus Trojan, the […]

PayPal accounts abused to distribute the Chthonic Banking Trojan

Experts from Proofpoint discovered that the Banking trojan Chthonic was distributed via ‘legitimate’ PayPal accounts by abusing the “money request” feature.

The imagination of cyber criminals is a never-ending pit, according to the security firm Proofpoint, crooks are abusing PayPal to distribute the Chtonic banking trojan. Chtonic is a strain of the most notorious Zeus Trojan, the researchers spotted a new campaign leveraging on emails sent by genuine PayPal accounts.

The attackers in this way could bypass anti-spam filters and antivirus solutions because the emails come via genuine PayPal accounts.

One sample analyzed by Proofpoint was not detected by Gmail because the message appeared to be legitimate.

“Specifically, we observed emails with the subject “You’ve got a money request” that came from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the portal to “request money.” We are not sure how much of this process was automated and how much manual, but the email volume was low.” reported a security advisory from Proofpoint.

The attackers abused the “request money” feature that gives PayPal the possibility to include notes when sending money request messages.

Chthonic Banking Trojan PayPal

“PayPal’s money request feature allows adding a note along with the request [and] the attacker crafted a personalised message and included a malicious URL,” continues the advisory. “In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both.”

When the victim clicks on the link embedded in the message it will be redirected to a non-PayPal website that downloads an obfuscated JavaScript file called paypalTransactionDetails.jpeg.js. Opening the JavaScript file downloads the Chthonic Trojan. The link included in the message was generated with the Google URL shortener (it is a Goo.gl link).

“If the user does click on the Goo.gl link, they are redirected to katyaflash[.]com/pp.php, which downloads an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js to the user’s system. If the user then opens the JavaScript file, it downloads an executable from wasingo[.]info/2/flash.exe. This executable is Chthonic, a variant of the Zeus banking Trojan. ” added Proofpoint.

It is interesting to note that Chthonic executable also downloads a second-stage payload that is a totally new called AZORult.

The experts noticed that the campaign has still a low volume because the overhead necessary to set up PayPal accounts to send the malicious requests.

The analysis of the URL included in the message, a Goo.gl link, revealed that it has been clicked only 27 times.

Give a look to the ProofPoint analysis, it includes also Indicators of compromise (IOC’s).

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Chthonic, PayPal)

[adrotate banner=”5″]

[adrotate banner=”13″]