Researchers at Trend Micro discovered a new social engineering-based malvertising campaign targeting Japanese users with a malicious application disguised as a free porn game, a reward points application, or a video streaming app.
The malicious application uses a sideloading methodology to show the victim arbitrary web pages and ultimately deploy the Cinobi banking trojan. Researchers say that the malvertising campaign shares much in common with the Cinobi banking trojan they identified last year, but consider it to be a rebranded version of it. The campaign’s configuration remained the same, except that it targets a list of cryptocurrency exchange websites in Japan.
Last year, researchers at Trend Micro unearthed a new banking trojan which was dubbed as Cinobi Banking Trojan. The banking malware was a part of a campaign called “Operation Overtrap”. The campaign was operated by a malicious group known as “Water Kappa”.
The malicious group has deployed the trojan in two ways: either via spam or making use of the Bottle exploit kit that contained CVE-2020-1380 and CVE-2021-26411 (2 Internet Explorer exploits). Interestingly, only Internet Explorer users were targeted through these malvertising attacks.
Throughout 2020 and the first half of 2021, researchers noticed limited activity from the malicious group, with traffic decreasing during the middle of June — possibly suggesting that the group was turning to new tools and techniques. Earlier this month, researchers discovered the banking malware targeting users in Japan by abusing sideloading bugs. Researchers at TrendMicro believe that the same attackers that engaged in the “Operation Overtrap” campaign are behind this new one.
The malvertising campaign targets users by sending malvertisements with five different themes. These malvertisements trick victims into installing the same archive with the malware files. After the victim clicks the download button (“index.clientdownload.windows”), the site downloads the ZIP archive for the main executable file.
Researchers noted that the malicious website can be accessed only via Japanese IP addresses and that malicious threat actors behind the malvertising campaign are trying to steal cryptocurrency as Cryptocurrency accounts’ credentials are now what hackers want to obtain by deploying the banking trojan called Cinobi.
Threat actors have designed few more versions of banking malware with slight differences. The most important is the configuration file responsible for the form-grabbing functionality. The banking trojan has been spotted targeting users of 11 Japanese financial institutions, including banks and cryptocurrency trading companies.
To avoid getting infected, researchers advised users to be extra cautious of suspicious advertisements and install only legitimate applications from trusted sources.