Coming Soon

Security Management Technology Center Develop Elearning, FAQ , New Center...


Cybercriminals are abusing stolen or newly created PayPal accounts to send spam emails that link to the Chthonic banking Trojan, Proofpoint researchers warn.

As part of this rather small distribution campaign, crooks were observed leveraging the PayPal service to “request money” from users. The victim would then receive an email with the subject “You’ve got a money request,” which would certainly seem legitimate, since it is sent by PayPal.

According to Proofpoint, since the messages aren’t faked, spam filters are unlikely to catch them, and such messages were seen landing in Gmail inboxes, for example. While researchers aren’t sure whether the spamming process is automated or manual, they do stress on the fact that the legitimate money transfer service is abused to deliver malware.

The money request message claims that an illicit $100 transfer was made to the victim’s account, and that the money should be returned. The email contains a link supposedly linking to a screenshot that reveals the details of the alleged erroneous transaction, and the crooks use social engineering tactics to determine the unsuspecting victim to click on the link.

PayPal’s money request feature allows adding a note along with the request, where the attacker crafted a personalized message and included a malicious URL. In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both,” Proofpoint notes.

The link in the email redirects the victim to katyaflash[.]com/pp.php, where an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js is downloaded onto the computer. If the user attempts to open the JavaScript file, an executable is downloaded from wasingo[.]info/2/flash.exe.

This file is the chthonic banking trojan, which is yet another variant of the infamous Zeus Malware. The Chthonic sample used in this attack connects to the command and control (C&C) server at kingstonevikte[.]com, researchers say. Moreover, the malware was observed downloading a second-stage payload that turns out to be a previously undocumented malware called “AZORult.”

The good news is that the scale of this campaign appears to be relatively small and that the malicious link was clicked only a couple of dozen times at the time of Proofpoint’s report. PayPal was also notified on the issue. Regardless, the new malware distribution technique is both interesting and troubling, researchers say.

The email messages come from a legitimate source, which makes them harder to fend off, although email providers, clients, and anti-spam engines have spam detection capabilities and can prevent malicious messages from reaching users’ inboxes. This is yet another example of the innovative ways threat actors find when it comes to bypassing spam filters.

For users without anti-malware services that can detect compromised links in emails and/or phone homes to a C&C, the potential impact is high. At the same time, the combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source creates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload,” Proofpoint notes.


** Disclaimer **

Any actions and or activities related to the material contained within this Website is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.

This site contains materials that can be potentially damaging or dangerous. If you do not fully understand something on this site, then GO OUT OF HERE! Refer to the laws in your province/country before accessing, using,or in any other way utilizing these materials.These materials are for educational and research purposes only.Do not attempt to violate the law with anything contained here. If this is your intention, then LEAVE NOW! Neither administration of this server, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your actions. Neither the creator is responsible for the comments posted on this website.


Subscribe to our newsletter and stay updated on the latest news and special offers!
Please wait