# Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan **[proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan](https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan)** July 26, 2016 July 26, 2016 **_Updated August 2, 2016, to reflect new information a bout the malware referenced in this post; additional details_** **_added at the bottom._** While many email providers, clients, and anti-spam engines have become adept at detecting spam, malicious messages sent via high-profile, legitimate providers are much harder to catch. Threat actors continue to look for new ways to bypass these engines and, in the latest example of innovative approaches to malware distribution, have managed to co-opt PayPal services in a small campaign. Proofpoint analysts recently noticed an interesting abuse of legitimate service in order to deliver malicious content. Specifically, we observed emails with the subject “You’ve got a money request” that came from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then ----- using the portal to request money. We are not sure how much of this process was automated and how much manual, but the email volume was low. _Figure 1: Email delivering malicious content_ Although the actual email address is obscured in Figure 1, this message was sent to a Gmail inbox. Gmail failed to block the email since it appears legitimate. PayPal’s money request feature allows adding a note along with the request, where the attacker crafted a personalized message and included a malicious URL. In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both. If the user does click on the Goo.gl link, they are redirected to katyaflash[.]com/pp.php, which downloads an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js to the user’s system. If the user then opens the JavaScript file, it downloads an executable from wasingo[.]info/2/flash.exe. This executable is Chthonic, a variant of the Zeus banking Trojan. The command and control (C&C) for this instance is kingstonevikte[.]com. The following screenshot more clearly illustrates the sequence of events: _Figure 2: Network traffic generated starting with user clicking on the malicious URL and opening the downloaded_ _JavaScript_ It is also interesting that Chthonic downloads a second-stage payload, a previously undocumented malware “AZORult” which we are currently investigating: ----- _Figure 3: Logo used internally by the AZORult module_ **Conclusion** Although the scale of this campaign appeared to be relatively small (this particular example was only detected through one of our spamtraps; as of the writing of this blog, the malicious link has only been clicked 27 times according to Google Analytics for the URL shortener), the technique is both interesting and troubling. For users without anti-malware services that can detect compromised links in emails and/or phone homes to a C&C, the potential impact is high. At the same time, the combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source creates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload. PayPal has been notified of this particular abuse of service but this represents yet another technique threat actors can use to bypass traditional defenses, regardless of the specific provider. **Indicators of Compromise (IOC’s)** **IOC** **IOC** **Type** **Description** [hxxp://goo[.]gl/G7z1aS?paypal-nonauthtransaction.jpg] URL URL in the email message [hxxp://katyaflash[.]com/pp.php] URL URL after the goo.gl redirect (hosting the js) 865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4 SHA256 paypalTransactionDetails.jpeg.js [hxxp://wasingo[.]info/2/flash.exe] URL JavaScript payload 0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141 SHA256 flash.exe ----- kingstonevikte[.]com Domain Chthonic C&C [hxxp://www.viscot[.]com/system/helper/bzr.exe] URL Chthonic 2nd Stage hosting 10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a SHA256 Chthonic 2nd Stage (AZORult) [91.215.154[.]202/AZORult/gate.php] URL AZORult C&C _Select ET Signatures that would fire on such traffic:_ 2810099 || ETPRO TROJAN Chthonic CnC Beacon 2811901 || ETPRO TROJAN Chthonic CnC Beacon 2821358 || ETPRO TROJAN Win32/Zbot Variant Checkin **_The information below was added based on additional background research conducted by Proofpoint analysts._** On July 31, Proofpoint researchers discovered an advertisement in an underground forum for the AZORult information stealer. This was the second-stage payload that Chthonic delivered to infected machines. The original ad in mixed Russian and English appears on top with our translation below: **_Original Ad_** [AZORult - Passwords, cookies, bitcoin, desktop files, etc stealer] Многофункциональный стиллер. Функционал: - Stealer сохраненных паролей из следующих программ(browsers, email, ftp, im): Спойлер Google Chrome Google Chrome x64 YandexBrowser Opera Mozilla Firefox InternetMailRu ComodoDragon Amigo Bromium Chromium Outlook Thunderbird Filezilla Pidgin PSI PSI Plus - Stealer cookies(Стиллер куков) из браузеров + данные автозаполнения форм(formhistory, autofill) Поддерживаемые браузеры: Спойлер Google Chrome Google Chrome x64 YandexBrowser Opera Mozilla Firefox ----- InternetMailRu ComodoDragon Amigo Bromium Chromium Куки в следующем формате, для удобного экспорта(Netscape cookie file format): Спойлер Instagram[.]com FALSE / FALSE 11129062731157896 csrftoken ebc08a134952abc6a5c36fb54c1aaaa .microsoft[.]com TRUE / FALSE 13140111158000000 TocPosition 1 www.searchengines[.]ru FALSE / FALSE 11138811175911879 OAИCAP 640.1 vsokovikov.narod[.]ru FALSE / FALSE 11168272384aaa000 __utma 1.211136481.14511109932.14658111726.1496725111.1 vsokovikov.narod[.]ru FALSE / FALSE 13111168384000111 __utmz 1.1250111526.1.1.utmcsr= (direct)|utmccn=(direct)|utmcmd=(none) - Bitcoin clients files Собирает файлы wallet.dat популярных биткоин клиентов (bitcoin, litecoin, etc) - Skype message history. Грабит файл с базой данных переписки. Файл читается специальными утилитами. - Desktop files grabber. Собирает файлы указанных расширений с рабочего стола. Фильтр по размеру файла. Также рекурсивно ищет файлы во вложенных папках. - Список установленных программ. - Список запущенных процессов. - Username, compname, OS, RAM Необходимый функционал можно включать/выключать в админке. В админке просматривается список поступивших отчетов, список сохраненных паролей из этих отчетов. Фильтры по дате, по типу паролей, поиск по базе. Остальные данные сохраняются в zip архив(отдельный для каждого отчета). Данные в архиве разложны по папкам. В архиве хранятся все данные, в админке только список отчетов и пароли. Спойлер []Browsers -[]Autocomplete --Google_Chrome_Default.txt -[]Cookies --Google_Chrome_Default.txt --MozillaFirefox_tpsasn.default-111340945411.txt []Coins -[]Bitcoin --wallet.dat -[]Litecoin --wallet.dat ... Info.txt Passwords.txt Process.txt Programms.txt ----- Софт поставляется в виде: .EXE - при запуске собирается необходимая инфа и отправляется на сервер .DLL - при подгрузке dll (DLL_PROCESS_ATTACH) собирается необходимая инфа и отправляется на сервер .DLL(thread) - при подгрузке dll (DLL_PROCESS_ATTACH) создается отдельный поток, в котором производится необходимая работа(собирается необходимая инфа и отправляется на сервер). Например для использования как плагина для популярных лоадеров. Скриншоты: Спойлер [Screenshots linked in the original ad – displayed here] ----- ----- Цена: $100 Ребилд: $30 Связь(jabber): [Redacted]@exploit[.]im ************************************** **_Translation:_** [AZORult - Passwords, cookies, bitcoin, desktop files, etc stealer] Multifunctional Stealer. Functions: - Stealer of saved passwords from following programs (browsers, email, ftp, im): Google Chrome Google Chrome x64 YandexBrowser Opera Mozilla Firefox InternetMailRu ComodoDragon Amigo Bromium Chromium Outlook Thunderbird Filezilla Pidgin PSI PSI Plus ----- Stealer of cookies from browsers and forms (form history, autofill) Supported Browsers: Google Chrome Google Chrome x64 YandexBrowser Opera Mozilla Firefox InternetMailRu ComodoDragon Amigo Bromium Chromium Cookies are in following format, for easy export (Netscape cookie file format): instagram[.]com FALSE / FALSE 11129062731157111 csrftoken yyyc08a1349526c46a5c36fb54c1ayyy .microsoft[.]com TRUE / FALSE 11140260158000111 TocPosition 1 www.searchengines[.]ru FALSE / FALSE 11138826175965111 OAИCAP 111.1 vsokovikov.narod[.]ru FALSE / FALSE 11168272384000111 __utma 1.111136481.1458509111.1465826111.1496725111.1 vsokovikov.narod[.]ru FALSE / FALSE 13120968384000111 __utmz 1.1110722526.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) - Bitcoin clients files Collects wallet.dat files from popular bitcoin clients (bitcoin, litecoin, etc) - Skype message history. Grabs files from chat history. Files are read with special utilities. - Desktop files grabber. Collects files with specified extensions from Desktop. Filter by file size. Recursively searches files in folders. - List of installed programs - List of running processes - Username, compname, OS, RAM Necessary functions that can be turned on and of in admin panel The admin panel has a list of received reports, list of saved passwords from those reports. Has filters by date, type of password, search in the base. The rest of data from reports is save as a zip aarchive, different one for each report. The data is sorted into folders. The archive contains all data, while the admin panel only list of reports and passwords. []Browsers -[]Autocomplete --Google_Chrome_Default.txt -[]Cookies --Google_Chrome_Default.txt --MozillaFirefox_tpasdn.default-111140945111.txt []Coins ----- []Bitcoin --wallet.dat -[]Litecoin --wallet.dat ... Info.txt Passwords.txt Process.txt Programms.txt Software is delivered as: .EXE - when started, collects necessary info and sends to server .DLL - when started the dll (DLL_PROCESS_ATTACH) collects necessary info and sends to server .DLL(thread) - when started dll (DLL_PROCESS_ATTACH) creates a new thread which does the work (collects necessary info and sends to server) Price: $100 Rebuild: $30 Contact(jabber): [Redacted]@exploit[.]im Subscribe to the Proofpoint Blog -----