Cybercriminals are abusing stolen or newly created PayPal accounts to send spam emails that link to the Chthonic banking Trojan, Proofpoint researchers warn.
As part of this rather small distribution campaign, crooks were observed leveraging the PayPal service to “request money” from users. The victim would then receive an email with the subject “You’ve got a money request,” which would certainly seem legitimate, since it is sent by PayPal.
According to Proofpoint, since the messages aren’t faked, spam filters are unlikely to catch them, and such messages were seen landing in Gmail inboxes, for example. While researchers aren’t sure whether the spamming process is automated or manual, they do stress on the fact that the legitimate money transfer service is abused to deliver malware.
The money request message claims that an illicit $100 transfer was made to the victim’s account, and that the money should be returned. The email contains a Goo.gl link supposedly linking to a screenshot that reveals the details of the alleged erroneous transaction, and the crooks use social engineering tactics to determine the unsuspecting victim to click on the link.
“PayPal’s money request feature allows adding a note along with the request, where the attacker crafted a personalized message and included a malicious URL. In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both,” Proofpoint notes.
The Goo.gl link in the email redirects the victim to katyaflash[.]com/pp.php, where an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js is downloaded onto the computer. If the user attempts to open the JavaScript file, an executable is downloaded from wasingo[.]info/2/flash.exe.
This file is the Chthonic banking Trojan, which is yet another variant of the infamous Zeus malware. The Chthonic sample used in this attack connects to the command and control (C&C) server at kingstonevikte[.]com, researchers say. Moreover, the malware was observed downloading a second-stage payload that turns out to be a previously undocumented malware called “AZORult.”
The good news is that the scale of this campaign appears to be relatively small and that the malicious link was clicked only a couple of dozen times at the time of Proofpoint’s report. PayPal was also notified on the issue. Regardless, the new malware distribution technique is both interesting and troubling, researchers say.
The email messages come from a legitimate source, which makes them harder to fend off, although email providers, clients, and anti-spam engines have spam detection capabilities and can prevent malicious messages from reaching users’ inboxes. This is yet another example of the innovative ways threat actors find when it comes to bypassing spam filters.
“For users without anti-malware services that can detect compromised links in emails and/or phone homes to a C&C, the potential impact is high. At the same time, the combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source creates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload,” Proofpoint notes.
Related: Flaw Allowed Hackers to Deliver Malicious Images via PayPal
Related: Flaw Allowed Hackers to Abuse PayPal Confirmation Emails