Story image

Compromised websites spreading Chtonic banking trojan

12 Apr 2018

Compromised websites are being used to trick users into thinking they have outdated web browser or Flash Player software, thanks to a crafty malware campaign discovered by Malwarebytes.

The ‘FakeUpdates campaign’ has been around since at least December 2017. It works by enslaving websites’ content management systems, and researchers suspect attackers are using outdated websites to spread malicious code, although this hasn’t been completely confirmed.

Two of the affected websites used WordPress and Joomla CMS JavaScript files. A further crawl discovered several hundred websites using the same CMS systems, and the full count of affected websites may number in the thousands.  Approximately 900 websites using Squarespace are also affected.

The malicious code triggers redirect URLs that point to a fake browser update page (Google Chrome, Mozilla Firefox, and Internet Explorer), as well as a fake Flash Player update.

“The decoy pages are hosted on compromised hosts via sub-domains using URIs with very short life spans. Some of those domains have a live (and legitimate website) whereas others are simply parked,” comments researcher Jérôme Segura.

The updates are disguised as JavaScript files that are retrieved from Dropbox. The Dropbox link is updated regularly and well-hidden.

“This JavaScript is heavily obfuscated to make static analysis very difficult and also to hide some crucial fingerprinting that is designed to evade virtual machines and sandboxes,” Segura explains.

The file collect information about the target system including BIOS, MAC address, processes, manufacturer, and its architecture.

Upon successful infection, the process delivers callbacks to its command & control server. The payload is both digitally signed and uses evasion techniques to defeat sandboxes.

One particular sample delivered a variant of the ZeusVM malware called Chtonic. The malware has been around since at least 2014.

Another malware sample downloaded a Remote Access Trojan called NetSupport Remote Access Tool.

“Once again, we noticed the heavy use of obfuscation throughout the delivery of this program that can be used for malicious purposes (file transfer, remote Desktop, etc),” Segura comments.

He says that the campaign uses social engineering and the abuse of a legitimate file hosting service. Because the bait file uses a script rather than an executable, attackers can find different ways to hide the malware.

“Compromised websites were abused to not only redirect users but also to host the fake updates scheme, making their owners unwitting participants in a malware campaign. This is why it is so important to keep Content Management Systems up to date, as well as use good security hygiene when it comes to authentication,” Secura concludes.

Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.