{
	"id": "14701c4a-5fd1-4d37-aa17-c5c775d0b2d5",
	"created_at": "2026-04-06T00:10:07.024857Z",
	"updated_at": "2026-04-10T03:21:40.766886Z",
	"deleted_at": null,
	"sha1_hash": "3fe253dd1a868aab00100751cf6a8599117606d8",
	"title": "Binary Options malvertising campaign drops ISFB banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2623755,
	"plain_text": "Binary Options malvertising campaign drops ISFB banking Trojan\r\nBy Jérôme Segura\r\nPublished: 2017-04-19 · Archived: 2026-04-05 22:28:30 UTC\r\nWe have been witnessing a series of malvertising attacks that keep a low profile with decoy websites and strong IP\r\naddress filtering. We are calling it the ‘Binary Options’ campaign because the threat actor is using the front of a\r\ntrading company to hide the real nature of his business.\r\nThere have been similar uses of fake façades as a gateway to exploit kits. For instance, Magnitude EK is known to\r\nuse gates that have to do with Bitcoin, investment websites and such, as detailed in this Proofpoint blog entry.\r\nIn this particular case, the threat actor stole the web template from “Capital World Option“, a company that\r\nprovides a platform for trading binary options. Participants must predict whether the price of an asset will rise or\r\nfall within a given time frame, which defines whether or not they will make money. Binary options have earned a\r\nbad reputation though and some countries have even banned them.\r\nFraudulent infrastructure\r\nBelow is a screenshot of the legitimate website that is being impersonated. There are some differences between\r\nthe real one and the fakes; the former is using SSL and was registered a while ago. Also, some of the website\r\nfunctionality is not working properly with the decoy versions.\r\nLegitimate site:\r\nDecoy site that ripped all the branding:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/\r\nPage 1 of 9\n\nThose fake sites are only meant to be viewed if you are not a target of this particular malware campaign. In other\r\nwords, if you load the infection chain from the malvertising call and see the site, you will not be infected.\r\nInfections happen when the fraudulent server forwards victims directly to a second gate, without showing them\r\nany of the site’s content.\r\nThe same threat actor has registered many different domains all purporting to be lookalikes using a similar naming\r\nconvention. The recent creation dates for these decoy sites is a hint that they are not likely to be legitimate:\r\nDomain Name: CAPITALWORLDOPTION.COM Creation Date: 2017-04-04T09:15:14Z Registrar: PDR Ltd. d/b/a Pub\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/\r\nPage 2 of 9\n\nMalvertising chain\r\nThe attack starts off with an ad call from one of a few ad networks (Popads, PlugRush were detected in our\r\ntelemetry) and redirects users to the decoy website where a quick IP check is performed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/\r\nPage 3 of 9\n\nOnly legitimate users will be redirected to the second stage server, which also performs its own check. Once\r\nagain, unwanted traffic will be dumped (and a message – perhaps from the threat actor? – “No time for rent”\r\npassed in the URL):\r\nOtherwise, users that have made it past those two gates will be presented with the RIG exploit kit.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/\r\nPage 4 of 9\n\nBanking Trojan\r\nThe final payload consistently distributed via this campaign (across different geolocations) appears to be an ISFB\r\nvariant (AKA Dreambot, Gozi, Usrnif), based off an old but resilient banking Trojan. Some of its features include\r\nweb injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc.\r\nThe artifacts left on the system were very similar to those described in a Proofpoint blog about Dreambot and the\r\nsamples we collected also download a Tor client. The registry entry for the Tor client can be seen below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/\r\nPage 5 of 9\n\nModular structure\r\nThe sample retrieves several modules once it sets hold onto a victim machine and below is an overview:\r\nOriginal Dropper\r\n-\u003e loader.dll injected into svchost.exe\r\n-\u003e client.dll and tordll.dll downloaded and injected into explorer.exe and into browsers\r\nThe main executable injects a file (loader.dll) into svchost.exe in order to download other modules which are\r\nencrypted during transport (tor.dll and client.dll) both available in 32 and 64 bits:\r\nWe can notice the “ISFB” signature within the malware code:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/\r\nPage 6 of 9\n\nThis piece of malware has some anti-VM features, for example, it checks on the mouse cursor:\r\nModules are injected into explorer.exe and try to establish a connection to an .onion address. Browsers are also\r\ninjected, via client.dll as depicted below with Mozilla Firefox:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/\r\nPage 7 of 9\n\nThere are scores of hosts that are contacted post infection, as well as the Tor connections that trigger many ET\r\nrules as ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group.\r\nConclusion\r\nThis particular campaign focused on a very specific malvertising chain leading to the RIG exploit\r\nkit and – as far as we could tell – dropping the same payload each time, no matter the geolocation of\r\nthe victim.\r\nBanking Trojans have been a little bit forgotten about these days as they are overshadowed by ransomware.\r\nHowever, they still represent a significant threat and actually do operate safely in the shadows, manipulating\r\nbanking portals to perform wire transfers unbeknownst to their victims or even the banks they are targeting.\r\nMalwarebytes users are protected against this threat at various levels: domain and IP blocks, exploit mitigation for\r\nRIG EK, and detection of the malware payloads.\r\nRelated material\r\nProofpoint: Nigthmare on Tor street: Ursnif variant Dreambot adds Tor functionality\r\nMaciej Kotowicz, BotConf: ISFB, Still Live and Kicking\r\nIOCs\r\n‘Binary Options’ domains:\r\nall-binarys-option.com all-binarys-options.com binaryoptionleader.com binaryoptionleaders.com binarys\r\n‘Binary options’ IP addresses:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/\r\nPage 8 of 9\n\n217.23.1.65 217.23.1.66 217.23.1.67 217.23.1.104 217.23.1.130 217.23.1.187 217.23.1.200\r\nRedirects:\r\nbasefont.ul-8.moskvi.ru/user5.php p.figcaption-7.nfl.si/user5.php command.bdo-3.mirifictour.ro/user5\r\nPayloads from different geos (ISFB):\r\nf2f8843673000b082ad08bd555c8cd023918a3c11af9d74e9fa98f3b1304b6be f12bc471f040146318a6fbd2879a95d947d4\r\nPost infection traffic:\r\n158.69.176.173/images/zln7qsefZ961EfLVkD3/0FmzZhicPZalFMUtdp9E0C/JxRcPKmDA9QAA/dNCE_2Bz/nFe1Bp_2FQNkn\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/"
	],
	"report_names": [
		"binary-options-malvertising-campaign-drops-isfb-banking-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434207,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3fe253dd1a868aab00100751cf6a8599117606d8.pdf",
		"text": "https://archive.orkl.eu/3fe253dd1a868aab00100751cf6a8599117606d8.txt",
		"img": "https://archive.orkl.eu/3fe253dd1a868aab00100751cf6a8599117606d8.jpg"
	}
}