sb-nz logo
Story image

Compromised websites spreading Chtonic banking trojan

12 Apr 2018

Compromised websites are being used to trick users into thinking they have outdated web browser or Flash Player software, thanks to a crafty malware campaign discovered by Malwarebytes.

The ‘FakeUpdates campaign’ has been around since at least December 2017. It works by enslaving websites’ content management systems, and researchers suspect attackers are using outdated websites to spread malicious code, although this hasn’t been completely confirmed.

Two of the affected websites used WordPress and Joomla CMS JavaScript files. A further crawl discovered several hundred websites using the same CMS systems, and the full count of affected websites may number in the thousands.  Approximately 900 websites using Squarespace are also affected.

The malicious code triggers redirect URLs that point to a fake browser update page (Google Chrome, Mozilla Firefox, and Internet Explorer), as well as a fake Flash Player update.

“The decoy pages are hosted on compromised hosts via sub-domains using URIs with very short life spans. Some of those domains have a live (and legitimate website) whereas others are simply parked,” comments researcher Jérôme Segura.

The updates are disguised as JavaScript files that are retrieved from Dropbox. The Dropbox link is updated regularly and well-hidden.

“This JavaScript is heavily obfuscated to make static analysis very difficult and also to hide some crucial fingerprinting that is designed to evade virtual machines and sandboxes,” Segura explains.

The file collect information about the target system including BIOS, MAC address, processes, manufacturer, and its architecture.

Upon successful infection, the process delivers callbacks to its command & control server. The payload is both digitally signed and uses evasion techniques to defeat sandboxes.

One particular sample delivered a variant of the ZeusVM malware called Chtonic. The malware has been around since at least 2014.

Another malware sample downloaded a Remote Access Trojan called NetSupport Remote Access Tool.

“Once again, we noticed the heavy use of obfuscation throughout the delivery of this program that can be used for malicious purposes (file transfer, remote Desktop, etc),” Segura comments.

He says that the campaign uses social engineering and the abuse of a legitimate file hosting service. Because the bait file uses a script rather than an executable, attackers can find different ways to hide the malware.

“Compromised websites were abused to not only redirect users but also to host the fake updates scheme, making their owners unwitting participants in a malware campaign. This is why it is so important to keep Content Management Systems up to date, as well as use good security hygiene when it comes to authentication,” Secura concludes.

Story image
Interview: ManageEngine's VP says legacy remote solutions aren't cutting it
Techday spoke with ManageEngine vice president Rajesh Ganesan on the company’s solutions to the rapid changes and issues facing workforces around the globe as millions upon millions pack up their offices and work from home.More
Story image
Cyber-worries delaying move to digital, says Deloitte
The report, commissioned by VMware, states that the Asia Pacific is delaying digitalisation due to fear of cyber-attacks.More
Story image
New solution shines light on Dark Web credential trading
The Kaseya-owned Spanning Cloud Apps has released software that monitors the Dark Web for compromised Office 365 credentials.More
Story image
Organisations take cloud-first approach to security, though concerns remain
"While the results of this survey show that some security professionals still have concerns, having visibility into cloud services is vital and many organisations are now taking a cloud-first approach to security.”More
Story image
Remote workers need to improve security measures amidst COVID-19
Technological support and security measures are amongst ways organisations and their employees can protect their business as they move to remote working during the COVID-19 pandemic. More
Story image
Acronis appoints new APAC General Manager and launches Partners Programme
One of Morarji’s first objectives has been to launch the new Acronis Partner Programmes in APAC, in which the Acronis team will help channel partners and managed service providers (MSPs) expand their portfolios and deliver fast ROI.More