A new social engineering-based malvertising campaign targeting Japan has been discovered delivering a malicious application that deploys a banking Trojan on infected Windows machines to steal credentials related to cryptocurrency accounts.
In an analysis published last week, Trend Micro researchers Jaromir Horejsi and Joseph C Chen said the app masqueraded as an animated porn game, a rewards points app or a video streaming app, attributing the operation to what it tracked as Water Kappa is a threat actor that was previously discovered delivering the Cinobi Trojan against Japanese online banking users by exploiting a vulnerability in the Internet Explorer browser.
Stack Overflow Team
The researchers added that the shift in tactics suggests adversaries are singling out web browser users other than Internet Explorer.
Water Kappa’s latest infection routine begins with a malvertising for a Japanese anime porn game, bonus points app, or video streaming service, with a landing page urging victims to download the app – a ZIP archive containing files from an older version of “Logitech Capture” File” application from 2018, but there are also modified files that are orchestrated to decrypt and run shellcode that triggers the execution of the Cinobi banking Trojan.
Enterprise password management
In addition to geofencing access to the malvertising portal from non-Japanese IP addresses, the Trojan was designed to steal usernames and passwords from 11 Japanese financial institutions, three of which were involved in cryptocurrency trading. If a user visits one of the target websites, Cinobi's form scraping module will be activated to capture the information filled in the login screen.
"The new malvertising campaign demonstrates that Water Kappa is still active and evolving their tools and techniques for greater financial gain — a campaign that also aims to steal cryptocurrency," the researchers said. "In order to minimize Chances of getting infected, users need to be wary of suspicious ads on questionable websites and download apps only from trusted sources if possible."
Original article, author: Chief Security Officer, if reprinted, please indicate the source: https://cncso.com/en/cinobi-banking-trojan-to-attack-cryptocurrency-users.html
