The imagination of cyber criminals is a never-ending pit, according to the security firm Proofpoint, crooks are abusing PayPal to distribute the Chtonic banking trojan. Chtonic is a strain of the most notorious Zeus Trojan, the researchers spotted a new campaign leveraging on emails sent by genuine PayPal accounts.
The attackers in this way could bypass anti-spam filters and antivirus solutions because the emails come via genuine PayPal accounts.
One sample analyzed by Proofpoint was not detected by Gmail because the message appeared to be legitimate.
“Specifically, we observed emails with the subject “You’ve got a money request” that came from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the portal to “request money.” We are not sure how much of this process was automated and how much manual, but the email volume was low.” reported a security advisory from Proofpoint.
The attackers abused the “request money” feature that gives PayPal the possibility to include notes when sending money request messages.
“PayPal’s money request feature allows adding a note along with the request [and] the attacker crafted a personalised message and included a malicious URL,” continues the advisory. “In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both.”
It is interesting to note that Chthonic executable also downloads a second-stage payload that is a totally new called AZORult.
The analysis of the URL included in the message, a Goo.gl link, revealed that it has been clicked only 27 times.
Give a look to the ProofPoint analysis, it includes also Indicators of compromise (IOC’s).
(Security Affairs – Chthonic, PayPal)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.