PayPal accounts abused to distribute the Chthonic Banking Trojan

Experts from Proofpoint discovered that the Banking trojan Chthonic was distributed via ‘legitimate’ PayPal accounts by abusing the “money request” feature.

The imagination of cyber criminals is a never-ending pit, according to the security firm Proofpoint, crooks are abusing PayPal to distribute the Chtonic banking trojan. Chtonic is a strain of the most notorious Zeus Trojan, the researchers spotted a new campaign leveraging on emails sent by genuine PayPal accounts.

The attackers in this way could bypass anti-spam filters and antivirus solutions because the emails come via genuine PayPal accounts.

One sample analyzed by Proofpoint was not detected by Gmail because the message appeared to be legitimate.

“Specifically, we observed emails with the subject “You’ve got a money request” that came from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the portal to “request money.” We are not sure how much of this process was automated and how much manual, but the email volume was low.” reported a security advisory from Proofpoint.

The attackers abused the “request money” feature that gives PayPal the possibility to include notes when sending money request messages.

“PayPal’s money request feature allows adding a note along with the request [and] the attacker crafted a personalised message and included a malicious URL,” continues the advisory. “In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both.”

When the victim clicks on the link embedded in the message it will be redirected to a non-PayPal website that downloads an obfuscated JavaScript file called paypalTransactionDetails.jpeg.js. Opening the JavaScript file downloads the Chthonic Trojan. The link included in the message was generated with the Google URL shortener (it is a Goo.gl link).

“If the user does click on the Goo.gl link, they are redirected to katyaflash[.]com/pp.php, which downloads an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js to the user’s system. If the user then opens the JavaScript file, it downloads an executable from wasingo[.]info/2/flash.exe. This executable is Chthonic, a variant of the Zeus banking Trojan. ” added Proofpoint.

It is interesting to note that Chthonic executable also downloads a second-stage payload that is a totally new called AZORult.

The analysis of the URL included in the message, a Goo.gl link, revealed that it has been clicked only 27 times.

Give a look to the ProofPoint analysis, it includes also Indicators of compromise (IOC’s).

Pierluigi Paganini

(Security Affairs – Chthonic, PayPal)

[adrotate banner=”5″]

[adrotate banner=”13″]