Wednesday, 27 July 2016

On 00:06 by admin   No comments
Legitimate emails sent from PayPal's official email address included links that redirected users to a website that distributed Chthonic, a newer variant of the infamous Zeus banking trojan.

At the source of this problem is a PayPal feature that allows users to request money from other users.

The requester can fill a form, enter another user's PayPal email address, the sum he wants to be transferred, and a custom message.

All emails looked legitimate. They are legitimate.

PayPal then takes all this data and sends it to the person from whom the money is requested. The problem here is that all these emails came from PayPal's official email address, and users would have had a hard time detecting anything wrong.

Crooks leveraged the latter custom field in the money request form to enter custom text that also included a short URL. This short link resolved to a website that automatically downloaded the paypalTransactionDetails.jpeg.js file on the user's computer.

If a user ran this JavaScript file, the malicious code would download and install a flash.exe binary that would infect his computer with the Chthonic trojan.

At a later stage, Proofpoint researchers also noticed that Chthonic would also download another module called AZORult. At this time, there's no details on what this module does, and Proofpoint researchers are still investigating its code.

Campaign had a low volume
The good news is that according to Google's statistics, the malicious URL has been accessed only 27 times.

Researchers aren't sure if the crooks behind this campaign hacked into legitimate PayPal accounts, or they created new ones from scratch.

"We are not sure how much of this process was automated and how much manual, but the email volume was low," Proofpoint says, "the technique is both interesting and troubling."


Post a comment