The imagination of cyber criminals is a never-ending pit, according to the security firm Proofpoint, crooks are abusing PayPal to distribute the Chtonic banking trojan. Chtonic is a strain of the most notorious Zeus Trojan, the researchers spotted a new campaign leveraging on emails sent by genuine PayPal accounts.
The attackers in this way could bypass anti-spam filters and antivirus solutions because the emails come via genuine PayPal accounts.
One sample analyzed by Proofpoint was not detected by Gmail because the message appeared to be legitimate.
“Specifically, we observed emails with the subject “You’ve got a money request” that came from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the portal to “request money.” We are not sure how much of this process was automated and how much manual, but the email volume was low.” reported a security advisory from Proofpoint.
The attackers abused the “request money” feature that gives PayPal the possibility to include notes when sending money request messages.
“PayPal’s money request feature allows adding a note along with the request [and] the attacker crafted a personalised message and included a malicious URL,” continues the advisory. “In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both.”
It is interesting to note that Chthonic executable also downloads a second-stage payload that is a totally new called AZORult.
The analysis of the URL included in the message, a Goo.gl link, revealed that it has been clicked only 27 times.
Give a look to the ProofPoint analysis, it includes also Indicators of compromise (IOC’s).
(Security Affairs – Chthonic, PayPal)