This is a security alert for all TruShield clients, the financial services industry, and the community as a whole. We have learned of a new variant of the Zeus Trojan called Chthonic Banking. This Trojan uses PayPal as a technique to spread.
About Chthonic Banking Trojan
Chthonic was discovered by Proofpoint analysts. This Trojan uses email to spread and the emails used are from legitimate services like PayPal. The malicious actors send an email to the intended victim. As an example, one email was observed closely by Proofpoint analysts. The subject of the email contained the phrase “You’ve got a money request” and appeared to have come from PayPal. According to Proofpoint, the senders of the emails are not spoofed and are legitimate or stolen PayPal accounts. The malicious actors use their account to request money
The problem is that because this email is sent from a legitimate service, and is a legitimate account, it is not being blocked, due to its non-malicious intent. Within the body of the email that was sent a malicious URL is inserted into the notes section of the PayPal money request page. The malicious actors use social engineering tactics to get their victims to click on the malicious link that they included within the specially crafted message. Of course, if any person were to receive such an email, they would hopefully raise concerns due to a lack of memory about the money owed or from wanting to find out more about this request they received. So, the likelihood of users clicking on the malicious link is very high because it deals with money, and most individuals do have different financial accounts connected to their PayPal account.
Indicators of Compromise
|URL in the email message:|
|URL after the goo.gl redirect (hosting the js):|
|Domain Chthonic C&C:|
|URL Chthonic 2nd Stage hosting:|
|SHA256 Chthonic 2nd Stage (AZORult):|
- Avoid clicking on links in an email. Type the website address directly into the search bar to navigate to a particular business page.
- Consider using open source analysis tools to analyze URLs within an email.
Zeus continues to evolve and remains a prominent Trojan in the banking malware family. Its campaign uses social engineering tactics through legitimate services to scare its victims into downloading this malicious new variant of the Trojan Chthonic. This raises concerns about the fact that this maybe the new path that other malicious campaigns may take to avoid being detected by other antiviruses.