Researchers at Trend Micro discovered a new social engineering-based malvertising campaign targeting Japanese users with a malicious application disguised as a free porn game, a reward points application, or a video streaming app.
The malicious application uses a sideloading methodology to show the victim arbitrary web pages and ultimately deploy the Cinobi banking trojan. Researchers say that the malvertising campaign shares much in common with the Cinobi banking trojan they identified last year, but consider it to be a rebranded version of it. The campaign’s configuration remained the same, except that it targets a list of cryptocurrency exchange websites in Japan.
Last year, researchers at Trend Micro unearthed a new banking trojan which was dubbed as Cinobi Banking Trojan. The banking malware was a part of a campaign called “Operation Overtrap”. The campaign was operated by a malicious group known as “Water Kappa”. The malicious group has deployed the trojan in two ways: either via spam or making use of the Bottle exploit kit that contained CVE-2020-1380 and CVE-2021-26411 (2 Internet Explorer exploits). Interestingly, only Internet Explorer users were targeted through these malvertising attacks.
Throughout 2020 and the first half of 2021, researchers noticed limited activity from the malicious group, with traffic decreasing during the middle of June — possibly suggesting that the group was turning to new tools and techniques. Earlier this month, researchers discovered the banking malware targeting users in Japan by abusing sideloading bugs. Researchers at TrendMicro believe that the same attackers that engaged in the “Operation Overtrap” campaign are behind this new one.
The malvertising campaign targets users by sending malvertisements with five different themes. These malvertisements trick victims into installing the same archive with the malware files. After the victim clicks the download button (“index.clientdownload.windows”), the site downloads the ZIP archive for the main executable file.
Researchers noted that the malicious website can be accessed only via Japanese IP addresses and that malicious threat actors behind the malvertising campaign are trying to steal cryptocurrency as Cryptocurrency accounts’ credentials are now what hackers want to obtain by deploying the banking trojan called Cinobi.
Threat actors have designed few more versions of banking malware with slight differences. The most important is the configuration file responsible for the form-grabbing functionality. The banking trojan has been spotted targeting users of 11 Japanese financial institutions, including banks and cryptocurrency trading companies. To avoid getting infected, researchers advised users to be extra cautious of suspicious advertisements and install only legitimate applications from trusted sources.
Source: https://www.ehackingnews.com/2021/08/cinobi-banking-malware-targets-japanese.html
- 11
- 2020
- 2021
- app
- Application
- applications
- Archive
- Attacks
- Banking
- Banks
- BP
- bugs
- Campaign
- Common
- Companies
- Credentials
- cryptocurrency
- Cryptocurrency Exchange
- cryptocurrency trading
- discovered
- exchange
- Exploit
- financial
- Financial institutions
- First
- Free
- game
- Group
- hackers
- HTTPS
- Including
- institutions
- Internet
- IP
- IT
- Japan
- kit
- Limited
- List
- Making
- malware
- Porn
- Shares
- Social
- spam
- streaming
- threat actors
- Trading
- traffic
- Trend Micro
- Trojan
- users
- Video
- web
- Website
- websites
- year
More from E Hacking News
Bugs in the Zimbra Server Could Lead to Unrestricted Email Access
Source Node: 995499
Time Stamp: Jul 29, 2021
Links Detected Between MSHTML Zero-Day Attacks and Ransomware Operations
Source Node: 1875199
Time Stamp: Sep 20, 2021
Anonymous Hacking Group Targets Controversial Web Hoster Epik
Source Node: 1089502
Time Stamp: Sep 22, 2021
Numando: a Banking Trojan Targeting Brazil Abuses YouTube for Spreading
Source Node: 1875198
Time Stamp: Sep 20, 2021
SecureWorx, an Australian Cybersecurity Firm Acquired by EY
Source Node: 998192
Time Stamp: Aug 3, 2021
Hackers hacked the accounts of employees of government agencies in Russia and more than ten other neighboring countries
Source Node: 1875936
Time Stamp: Sep 23, 2021
Cyber Criminals Using a New Darknet Tool to Escape Detection
Source Node: 1864401
Time Stamp: Aug 14, 2021
Underground Criminals Selling Stolen Network Access to Third Parties for up to $10,000
Source Node: 1864251
Time Stamp: Aug 13, 2021
Microsoft Released Security Updates that Block PetitPotam NTLM Relay Attacks
Source Node: 1018438
Time Stamp: Aug 12, 2021
The sharp drop of the cryptocurrency provokes cyber fraudsters
Source Node: 874566
Time Stamp: May 26, 2021