Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Banking Trojan Abuses Pinterest in C&C Routines

A new financial malware designed to target the customers of South Korean banks has been spotted in the wild by researchers at Trend Micro.

A new financial malware designed to target the customers of South Korean banks has been spotted in the wild by researchers at Trend Micro.

TSPY_BANKER.YYSI, which is part of the BANKER malware family, is being distributed in South Korea with the aid of compromised websites that redirect their visitors to an exploit kit. Once it infects a system, the Trojan monitors victims’ online activities and redirects them to a phishing website when they attempt to access the websites of certain financial institutions.

The malware targets the websites of Hana Bank, Nonghyup Bank, the Industrial Bank of Korea (IBK), Shinhan Bank, Woori Bank, Kookmin Bank, and the Consumer Finance Service Center, Trend Micro said.

When users visit one of these websites, the malware injects an iframe that loads a corresponding phishing page. These phishing sites are designed to look just like the bank’s legitimate website, and the threat is capable of spoofing the URL in the Web browser’s address bar to avoid raising any suspicion.

In addition to the bank websites, TSPY_BANKER.YYSI also targets a popular South Korean search engine. When victims visit this site, they are presented with a pop-up window containing links to the websites of banks monitored by the malware.

The redirection to the phishing pages only occurs when users visit the banking websites with Internet Explorer. However, this isn’t a problem since an outdated South Korean law requires citizens to bank and make online purchases with Internet Explorer. Statistics show that 75% of the country’s Web usage involves this browser.

What’s interesting about TSPY_BANKER.YYSI is that it uses the social media network Pinterest in its command and control (C&C) routines. Instead of contacting a C&C server, the Trojan accesses comments posted on Pinterest. The comments, which look something like “104A149B245C120D,” are decoded (by replacing letters with a dot) and the result is an IP address for the server hosting the phishing page. This tactic allows cybercriminals to quickly change the location of their servers in order to avoid detection, Trend Micro said in a blog post.

Advertisement. Scroll to continue reading.

Banking Trojan attack diagram

In one of the attacks analyzed by the security firm, the attackers leveraged exploits for two patched Internet Explorer vulnerabilities, CVE-2013-2551 and CVE-2014-0322, to deliver the malware. The exploit code is heavily obfuscated, but researchers have determined that it’s similar to Sweet Orange, an exploit kit that has been used in several campaigns over the past period.

This month, the cybercriminals have leveraged the Gongda exploit kit and a Windows vulnerability (CVE-2014-6332) patched by Microsoft last month.

Attribution is usually a difficult task, but in this case, comments found in the exploit code, the URLs of the servers that the malware communicates with, and a service used by the cybercriminals to generate statistics indicate that the attackers are Chinese speakers.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...