There is a new threat on the rise. THe Chthonic banking trojan are being spread by hackers via legitimate looking PayPal emails. This has been announced by security outfit Proofpoint.
The circulating emails are ‘authentic’ and does not trigger any warnings due to the fact that they are being spread using legitimate PayPal accounts.
It has been said that the sender does not appear to be faked. The spam has been generated using registered PayPal accounts that might have been set up using stolen accounts and they have used the portal to request money.
In a nutshell, the hackers took advantage of a feature that allows users to include notes when sending money request messages.
Proofpoint picked up a sample which shows that Gmail failed to block since it appears to be legitimate.
The personalized note along with the said request from the attacker includes a malicious URL.
It is a double edged sword. The recepient might end up clicking and paying $100 or open up the link and get infected with the malware or even both.
When the link is clicked, it gets redirected to a non-PayPal site and downloads a javascript file. Once opened, it triggers the download of the executable file.
It has been said that it is a variant of the Zeus banking trojan and the command and control center for this instance is kingstonevikte.com.
On top of that, another payload with the AZORult malware might end up running on the infected system.
On the lighter side of the news, it seems limited as of the moment due to the fact that perhaps partly owing to the overhead required in opening PayPal accounts or gaining access to compromised accounts.
Up to the time of writing this article, PayPal has not commented on Proofpoint’s findings.
