Social engineering campaign with malicious ads spreads Cinobi Trojan
Malicious ad campaign targeting Japan loads and launches data theft-focused banking Trojan
Banking Trojan delivered to Japanese users via malicious online advertisements.
The latest social engineering-based campaign features malicious ads that spread a threat to cryptocurrency users in Japan. The Cinobi banking Trojan lands on some infected Windows computers and could steal private account credentials. A campaign that some researchers have called “Operation Overtrap”, specifically targets Japan.
This campaign appears to be carried out by a group identified as Water Kappa, which delivers Cinobi via ad spam or using the Bottle exploit kit, which included the new Internet Explorer exploits CVE-2020-1380 and CVE-2021- 26411. These have been used for earlier attacks that hit Microsoft Internet Explorer users.
It looks like the new malicious ad campaign is masquerading as an animated porn game, reward points app, or video streaming app. The malware seems to be very active lately and has even rolled out a few other versions with small differences across the web.
Water Kapp specifically targets Japan
The new tools and techniques of the threat actors show their creativity. Water Kappa uses malicious advertisements for Japanese animated porn games, bonus point apps, or video streaming services, with the target pages asking the victim to download the app. The malware is a ZIP file that mainly contains files from an older 2018 version of the Logitech Capture application.
After clicking on the button with the text “index.clientdownload.windows”, the landing page starts to download the ZIP archive, which is followed by instructions on how to open, extract and run the main file. Access to the website is filtered based on IP address, as non-Japanese IP addresses will only see error messages.
The malware is designed not only to block non-Japanese IP addresses from accessing the pages, but also to steal the credentials of 11 Japanese financial institutions, three of which are active in bitcoin trading. When the user visits one of the attacked sites, the Cinobi module is triggered and information can be captured.
Threat actors evolve and present new threats
Cyber security experts believe a new malicious ad campaign shows the activity and growth of threat actors. It seems that new ideas arise from the need for financial gain and are constantly evolving with new tools and tactics. To reduce the risk of infection, users should watch out for strange advertisements on questionable websites and download programs only from trusted sources if possible.
Malicious advertising is generally described as an attack in which hackers inject malicious code into legitimate online ad networks, and later this code redirects unwitting users to malicious websites. Large commercial enterprises and new sites have been affected by these attacks, including the London Stock Exchange and the New York Times.
Malicious advertising is more likely to end up on ad networks with poor security and surveillance practices. Therefore, only reputable ad networks should be chosen. Content Security Policy (CSP) should also be implemented, as it would control which domains are capable of hosting content on websites. Obviously, antivirus software should also be a must.