Social-engineering campaign with malicious ads spreads Cinobi trojan

Malvertising campaign targetting Japan loads and starts the banking trojan focused on stealing data

Banking trojan delivered to Japan users via malvertising online.

The latest social-engineering-based campaign presents malicious ads that spread a threat to Japan's crypto-currency users. Cinobi banking Trojan lands on some infected Windows computers and could steal credentials of private accounts. A campaign that some researchers labeled as “Operation Overtrap,” specifically targets Japan.

This campaign seems to be perpetrated by a group identified as Water Kappa, which delivers Cinobi via advertising spam or using the Bottle exploit kit, which included newer Internet Explorer exploits CVE-2020-1380 and CVE-2021-26411. These were used for attacks earlier that hit Microsoft Internet Explorer users.^[1]

It appears that the new malvertising campaign masquerades as an animated porn game, a reward points application, or a video streaming application. The malware appears to be very active lately and even rolled out a few other versions with small differences on the web.^[2]

Water Kapp specifically targets Japan

New tools and techniques of threat actors show their creativity. Water Kappa uses malware ads for Japanese animated porn games, bonus points apps, or video streaming services, with the target pages asking the victim to download the application. The malware is a ZIP file that mostly contains files from an older 2018 version of the Logitech Capture application.

After clicking on the button with the text “index.clientdownload.windows”, the landing page starts downloading the ZIP archive, which is followed by instructions on how to open, extract, and execute the main file. The access to the website is filtered based on the IP address as non-Japanese IP addresses will see only error messages.^[3]

The malware is designed not only to prevent non-Japanese IP addresses from accessing pages but also to steal the credentials of 11 Japanese financial institutions, three of which are active in bitcoin trading. As the user visits one of the attacked sites, the Cinobi module is triggered, and information could be captured.

Threat actors are evolving and present new threats

Cybersecurity experts believe that a new malvertising campaign shows the activity and growth of threat actors. It seems that new ideas strive from the need for financial gain and are constantly evolving with new tools and tactics. To reduce the likelihood of infection, users should watch out for strange advertisements on dubious websites and download programs only from reputable sources if possible.

Malvertising is usually described as an attack in which hackers inject malicious code into legitimate online advertising networks, and later, such code redirects unaware users to malicious websites. Huge business companies and new sites were hit by these attacks, including The London Stock Exchange and The New York Times.^[4]

Malvertising is more likely to end up on ad networks with poor security and monitoring practices. Therefore, only reputable ad networks should be chosen. Content security policy (CSP) should be implemented, too as it would allow controlling which domains are able to host content on websites.^[5] Obviously, anti-virus software should be a must too.