Story image

Compromised websites spreading Chtonic banking trojan

12 Apr 18

Compromised websites are being used to trick users into thinking they have outdated web browser or Flash Player software, thanks to a crafty malware campaign discovered by Malwarebytes.

The ‘FakeUpdates campaign’ has been around since at least December 2017. It works by enslaving websites’ content management systems, and researchers suspect attackers are using outdated websites to spread malicious code, although this hasn’t been completely confirmed.

Two of the affected websites used WordPress and Joomla CMS JavaScript files. A further crawl discovered several hundred websites using the same CMS systems, and the full count of affected websites may number in the thousands.  Approximately 900 websites using Squarespace are also affected.

The malicious code triggers redirect URLs that point to a fake browser update page (Google Chrome, Mozilla Firefox, and Internet Explorer), as well as a fake Flash Player update.

“The decoy pages are hosted on compromised hosts via sub-domains using URIs with very short life spans. Some of those domains have a live (and legitimate website) whereas others are simply parked,” comments researcher Jérôme Segura.

The updates are disguised as JavaScript files that are retrieved from Dropbox. The Dropbox link is updated regularly and well-hidden.

“This JavaScript is heavily obfuscated to make static analysis very difficult and also to hide some crucial fingerprinting that is designed to evade virtual machines and sandboxes,” Segura explains.

The file collect information about the target system including BIOS, MAC address, processes, manufacturer, and its architecture.

Upon successful infection, the process delivers callbacks to its command & control server. The payload is both digitally signed and uses evasion techniques to defeat sandboxes.

One particular sample delivered a variant of the ZeusVM malware called Chtonic. The malware has been around since at least 2014.

Another malware sample downloaded a Remote Access Trojan called NetSupport Remote Access Tool.

“Once again, we noticed the heavy use of obfuscation throughout the delivery of this program that can be used for malicious purposes (file transfer, remote Desktop, etc),” Segura comments.

He says that the campaign uses social engineering and the abuse of a legitimate file hosting service. Because the bait file uses a script rather than an executable, attackers can find different ways to hide the malware.

“Compromised websites were abused to not only redirect users but also to host the fake updates scheme, making their owners unwitting participants in a malware campaign. This is why it is so important to keep Content Management Systems up to date, as well as use good security hygiene when it comes to authentication,” Secura concludes.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.