Story image

Compromised websites spreading Chtonic banking trojan

12 Apr 18

Compromised websites are being used to trick users into thinking they have outdated web browser or Flash Player software, thanks to a crafty malware campaign discovered by Malwarebytes.

The ‘FakeUpdates campaign’ has been around since at least December 2017. It works by enslaving websites’ content management systems, and researchers suspect attackers are using outdated websites to spread malicious code, although this hasn’t been completely confirmed.

Two of the affected websites used WordPress and Joomla CMS JavaScript files. A further crawl discovered several hundred websites using the same CMS systems, and the full count of affected websites may number in the thousands.  Approximately 900 websites using Squarespace are also affected.

The malicious code triggers redirect URLs that point to a fake browser update page (Google Chrome, Mozilla Firefox, and Internet Explorer), as well as a fake Flash Player update.

“The decoy pages are hosted on compromised hosts via sub-domains using URIs with very short life spans. Some of those domains have a live (and legitimate website) whereas others are simply parked,” comments researcher Jérôme Segura.

The updates are disguised as JavaScript files that are retrieved from Dropbox. The Dropbox link is updated regularly and well-hidden.

“This JavaScript is heavily obfuscated to make static analysis very difficult and also to hide some crucial fingerprinting that is designed to evade virtual machines and sandboxes,” Segura explains.

The file collect information about the target system including BIOS, MAC address, processes, manufacturer, and its architecture.

Upon successful infection, the process delivers callbacks to its command & control server. The payload is both digitally signed and uses evasion techniques to defeat sandboxes.

One particular sample delivered a variant of the ZeusVM malware called Chtonic. The malware has been around since at least 2014.

Another malware sample downloaded a Remote Access Trojan called NetSupport Remote Access Tool.

“Once again, we noticed the heavy use of obfuscation throughout the delivery of this program that can be used for malicious purposes (file transfer, remote Desktop, etc),” Segura comments.

He says that the campaign uses social engineering and the abuse of a legitimate file hosting service. Because the bait file uses a script rather than an executable, attackers can find different ways to hide the malware.

“Compromised websites were abused to not only redirect users but also to host the fake updates scheme, making their owners unwitting participants in a malware campaign. This is why it is so important to keep Content Management Systems up to date, as well as use good security hygiene when it comes to authentication,” Secura concludes.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t.