Connect with us

Hi, what are you looking for?



PayPal Abused in Banking Trojan Distribution Campaign

Cybercriminals are abusing stolen or newly created PayPal accounts to send spam emails that link to the Chthonic banking Trojan, Proofpoint researchers warn.

Cybercriminals are abusing stolen or newly created PayPal accounts to send spam emails that link to the Chthonic banking Trojan, Proofpoint researchers warn.

As part of this rather small distribution campaign, crooks were observed leveraging the PayPal service to “request money” from users. The victim would then receive an email with the subject “You’ve got a money request,” which would certainly seem legitimate, since it is sent by PayPal.

According to Proofpoint, since the messages aren’t faked, spam filters are unlikely to catch them, and such messages were seen landing in Gmail inboxes, for example. While researchers aren’t sure whether the spamming process is automated or manual, they do stress on the fact that the legitimate money transfer service is abused to deliver malware.

The money request message claims that an illicit $100 transfer was made to the victim’s account, and that the money should be returned. The email contains a link supposedly linking to a screenshot that reveals the details of the alleged erroneous transaction, and the crooks use social engineering tactics to determine the unsuspecting victim to click on the link.

“PayPal’s money request feature allows adding a note along with the request, where the attacker crafted a personalized message and included a malicious URL. In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both,” Proofpoint notes.

The link in the email redirects the victim to katyaflash[.]com/pp.php, where an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js is downloaded onto the computer. If the user attempts to open the JavaScript file, an executable is downloaded from wasingo[.]info/2/flash.exe.

This file is the Chthonic banking Trojan, which is yet another variant of the infamous Zeus malware. The Chthonic sample used in this attack connects to the command and control (C&C) server at kingstonevikte[.]com, researchers say. Moreover, the malware was observed downloading a second-stage payload that turns out to be a previously undocumented malware called “AZORult.”

Advertisement. Scroll to continue reading.

The good news is that the scale of this campaign appears to be relatively small and that the malicious link was clicked only a couple of dozen times at the time of Proofpoint’s report. PayPal was also notified on the issue. Regardless, the new malware distribution technique is both interesting and troubling, researchers say.

The email messages come from a legitimate source, which makes them harder to fend off, although email providers, clients, and anti-spam engines have spam detection capabilities and can prevent malicious messages from reaching users’ inboxes. This is yet another example of the innovative ways threat actors find when it comes to bypassing spam filters.

“For users without anti-malware services that can detect compromised links in emails and/or phone homes to a C&C, the potential impact is high. At the same time, the combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source creates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload,” Proofpoint notes.

Related: Flaw Allowed Hackers to Deliver Malicious Images via PayPal

Related: Flaw Allowed Hackers to Abuse PayPal Confirmation Emails

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...