Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan

July 26, 2016

While many email providers, clients, and anti-spam engines have become adept at detecting spam, malicious messages sent via high-profile, legitimate providers are much harder to catch. Threat actors continue to look for new ways to bypass these engines and, in the latest example of innovative approaches to malware distribution, have managed to co-opt PayPal services in a small campaign.

Proofpoint analysts recently noticed an interesting abuse of legitimate service in order to deliver malicious content. Specifically, we observed emails with the subject “You’ve got a money request” that came from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the portal to “request money.” We are not sure how much of this process was automated and how much manual, but the email volume was low. 


Figure 1: Email delivering malicious content

Although the actual email address is obscured in Figure 1, this message was sent to a Gmail inbox. Gmail failed to block the email since it appears legitimate. PayPal’s money request feature allows adding a note along with the request, where the attacker crafted a personalized message and included a malicious URL. In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both.

If the user does click on the Goo.gl link, they are redirected to katyaflash[.]com/pp.php, which downloads an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js to the user’s system. If the user then opens the JavaScript file, it downloads an executable from wasingo[.]info/2/flash.exe. This executable is Chthonic, a variant of the Zeus banking Trojan. The command and control (C&C) for this instance is kingstonevikte[.]com. The following screenshot more clearly illustrates the sequence of events:


Figure 2: Network traffic generated starting with user clicking on the malicious URL and opening the downloaded JavaScript

It is also interesting that Chthonic downloads a second-stage payload, a previously undocumented malware “AZORult” which we are currently investigating:


Figure 3: Logo used internally by the AZORult module

Conclusion

Although the scale of this campaign appeared to be relatively small (this particular example was only detected through one of our spamtraps; as of the writing of this blog, the malicious link has only been clicked 27 times according to Google Analytics for the URL shortener), the technique is both interesting and troubling. For users without anti-malware services that can detect compromised links in emails and/or phone homes to a C&C, the potential impact is high. At the same time, the combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source creates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload.

PayPal has been notified of this particular abuse of service but this represents yet another technique threat actors can use to bypass traditional defenses, regardless of the specific provider.

Indicators of Compromise (IOC’s)

IOC

IOC Type

Description

[hxxp://goo[.]gl/G7z1aS?paypal-nonauthtransaction.jpg]

URL

URL in the email message

[hxxp://katyaflash[.]com/pp.php]

URL

URL after the goo.gl redirect (hosting the js)

865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4

SHA256

paypalTransactionDetails.jpeg.js

[hxxp://wasingo[.]info/2/flash.exe]

URL

JavaScript payload

0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141

SHA256

flash.exe

kingstonevikte[.]com

Domain

Chthonic C&C

[hxxp://www.viscot[.]com/system/helper/bzr.exe]

URL

Chthonic 2nd Stage hosting

10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a

SHA256

Chthonic 2nd Stage (AZORult)

[91.215.154[.]202/AZORult/gate.php]

URL

AZORult C&C

Select ET Signatures that would fire on such traffic:

2810099 || ETPRO TROJAN Chthonic CnC Beacon
2811901 || ETPRO TROJAN Chthonic CnC Beacon 
2821358 || ETPRO TROJAN Win32/Zbot Variant Checkin