[About TrendLabs Security Intelligence Blog](https://blog.trendmicro.com/trendlabs-security-intelligence/about-us/) Search: Go to… [Home](http://blog.trendmicro.com/trendlabs-security-intelligence/) Categories [Home »](https://blog.trendmicro.com/trendlabs-security-intelligence/) [Malware » Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/) Cinobi Banking Trojan # Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan [Posted on:March 11, 2020 at 6:00 am](https://blog.trendmicro.com/trendlabs-security-intelligence/2020/03/) [Posted in:Malware](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/) Author: [Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/) 0 **_By Jaromir Horejsi and Joseph C. Chen (Threat Researchers)_** We recently discovered a new campaign that we dubbed “Operation Overtrap” for the numerous ways it can infect or trap victims with its payload. The campaign mainly targets online users of various Japanese banks by stealing their banking credentials using a three-pronged attack. Based on our telemetry, Operation Overtrap has been active since April 2019 and has been solely targeting online banking users located in Japan. Our analysis found that this campaign uses three different attack vectors to steal its victims’ banking credentials: By sending spam emails with a phishing link to a page disguised as a banking website By sending spam emails asking victims to run a disguised malware’s executable downloaded from a linked phishing page. By using a custom exploit kit to deliver malware via malvertising Go to… ----- Figure 1. Operation Overtrap three-pronged attack flow This blog will discuss how we discovered the campaign and introduce the brand-new banking trojan Cinobi. Meanwhile, a detailed look at the different attack vectors associated with this campaign, and a more in-depth analysis of dropped configuration files as well as Cinobi’s features, are discussed in our [technical brief.](https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf) # Technical Analysis ## Discovering Operation Overtrap We first discovered the campaign in September 2019 using a then-unidentified exploit kit. Based on our data, Operation Overtrap has been using spam emails to deliver its payload to victims as early as April 2019. In mid-September, we observed a significant number of victims being redirected to the exploit kit, which targeted Internet Explorer, after they have clicked on links from social media platforms. It should be noted, however, that the way the victims received the links has not been identified. It is also worth mentioning that Operation Overtrap only seems to target Japanese online banking users; it redirects victims with other geolocations to a fake online shop. Upon analysis, we saw that the exploit kit only dropped a clean binary that does not perform malicious activities on a victim’s device. It also immediately closes after infection. It is still unclear why the threat actors behind Operation Overtrap initially delivered a clean binary file; it’s possible that they were testing their custom exploit kit during this stage of the campaign’s development. Figure 2. A screengrab that shows exploit kit network traffic in September 2019 ----- Figure 3. A screengrab that shows a clean file dropped by Operation Overtrap’s exploit kit ## Operation Overtrap’s Custom Exploit Kit: Bottle Exploit Kit On September 29, 2019, we observed that the exploit kit ceased to drop a clean file, and instead, delivered a brand-new banking trojan that we dubbed “Cinobi.” We also noted that the threat actors behind Operation Overtrap have stopped redirecting victims from social media and began to use a Japan-targeted malvertising campaign to push their custom exploit kit. Another researcher later discovered the custom exploit kit, which was named the [Bottle Exploit Kit (BottleEK). It exploits](https://nao-sec.org/2019/12/say-hello-to-bottle-exploit-kit.html) [CVE-2018-15982, a Flash Player use after free vulnerability, as well as](https://nvd.nist.gov/vuln/detail/CVE-2018-15982) [CVE-2018-8174, a VBScript remote code execution](https://nvd.nist.gov/vuln/detail/CVE-2018-8174) vulnerability. Victims will be infected with BottleEK’s payload if they access this particular exploit kit’s landing page with unpatched or outdated browsers. Our telemetry shows that BottleEK was the most active exploit kit detected in Japan in February 2020. Figure 4. Exploit kit activity observed in Japan on February 2020 (Data obtained from Trend Micro Smart Protection Network™) ## Brand-new banking malware: Cinobi Operation Overtrap used a new banking malware we’ve decided to call Cinobi. Based on our analysis, Cinobi has two versions — the first one has a DLL library injection payload that compromises victims’ web browsers to perform form-grabbing. This Cinobi version can also modify web traffic sent to and received from targeted websites. Our investigation found that all the websites that this campaign targeted were those of Japan-based banks. Aside from form-grabbing, it also has a webinject function that allows cybercriminals to modify accessed webpages. The second version has all the capabilities of the first one plus the ability to communicate with a command-and-control (C&C) server over the Tor proxy. ----- Each of Cinobi’s four stages contains an encrypted position-independent shellcode that makes analysis slightly more complicated. Each stage is downloaded from a C&C server after certain conditions have been met. #### First stage The first stage of Cinobi’s infection chain, which has also been [analyzed by another cybersecurity researcher, starts by calling](http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html) [the “GetUserDefaultUILanguages” function to check if the infected device’s local settings are set to Japanese.](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getuserdefaultuilanguage) Figure 5. Screengrab of Cinobi’s check to determine the device’s language settings using “GetUserDefaultUILanguages” Cinobi will then download legitimate unzip.exe and Tor applications from the following locations: ftp://ftp[.]cadwork.ch/DVD_V20/cadwork.dir/COM/unzip[.]exe https://archive[.]torproject[.]org/tor-package-archive/torbrowser/8.0.8/tor-win32-0.3.5.8[.]zip After extracting the Tor archive into the “\AppData\LocalLow\” directory, Cinobi will rename tor.exe to taskhost.exe and execute it. It will also run tor.exe with custom torrc file settings. “C:\Users\\AppData\LocalLow\\Tor\taskhost.exe” –f “C:\Users\\AppData\LocalLow\\torrc” It will download the second stage of the malware payload from a .onion C&C address and save it in a randomly named .DLL file within the “\AppData\LocalLow\” folder. The filename of the first stage downloader is saved into a .JPG file with a random name. Figure 6. Screengrab of the .JPG file that contains the filename of the first stage downloader After this, Cinobi will run the second stage of its downloader on the victim’s machine. Figure 7. Screengrab of code showing Cinobi running the second stage of its downloader on the victim’s machine #### Second stage Cinobi will connect to its C&C server to download and decrypt the file for the third stage of its infection chain. We observed that the filename of the third stage starts with the letter C, followed by random characters. Afterward, it will download and decrypt the file for the fourth stage, which has a filename that starts with the letter A, followed by random characters. After these, Cinobi will download and decrypt a config file (.txt) that contains a new C&C address. Cinobi uses RC4 encryption with a hardcoded key. ----- Next, Cinobi will run the downloaded third stage infection file using the UAC bypass method via the CMSTPLUA COM interface. #### Third stage During the third infection stage, Cinobi will copy malware files from “\AppData\LocalLow\” to the “%PUBLIC%” folder. It will then install the fourth stage of the downloader (which was downloaded during the second stage) as Winsock Layered [Service Provider (WSCInstallProviderAndChains).](https://docs.microsoft.com/en-us/windows/win32/api/ws2spi/nf-ws2spi-wscinstallproviderandchains) Figure 9. Screengrab of code showing the installation of the infection’s fourth stage on the victim machine as “WSCInstallProviderAndChains” Cinobi will then perform the following actions: Change spooler service config to “SERVICE_AUTO_START” Disable the following services: UsoSvc Wuauserv WaaSMedicSvc SecurityHealthService DisableAntiSpyware Copy and extract Tor files to “%PUBLIC%” folder Rename tor.exe to taskhost.exe Create torrc in “%PUBLIC%” with the content “DataDirectory C:\Users\Public\\data\tor” Create .JPG file with the original dropper name Remove files from “\AppData\LocalLow\,” remove original dropper file #### Fourth stage Cinobi will call the **[WSCEnumProtocols function to retrieve information about available transport protocols. It will also call](https://docs.microsoft.com/en-us/windows/win32/api/ws2spi/nf-ws2spi-wscenumprotocols)** the **[WSCGetProviderPath function to retrieve the DLL path of the original transport provider. This function is called twice.](https://docs.microsoft.com/en-us/windows/win32/api/ws2spi/nf-ws2spi-wscgetproviderpath)** The first call will return the malicious provider (as the fourth stage of the malware has already been installed during the third stage of infection). The second call will return the original transport provider (“%SystemRoot%\system32\mswsock.dll”) and resolve and call its [WSPStartup function. Cinobi will then check the name of the process in which the malicious DLL provider](https://docs.microsoft.com/en-us/windows/win32/api/ws2spi/nf-ws2spi-wspstartup) gets injected. In practice, Cinobi should be injected into all processes that make network connections using [Windows sockets.](https://docs.microsoft.com/en-us/windows/win32/winsock/windows-sockets-start-page-2) Figure 10. Screengrab of processes where the malicious DLL provider has been injected # Best practices against spam and vulnerabilities Operation Overtrap uses a variety of attack vectors to steal banking credentials. Users and organizations need to adopt best practices to protect their systems against messaging-related threats and avoid malicious advertisements An example of a best ----- , y g g p p p p p g software via official channels. Organizations will benefit from regularly updating systems (or use [virtual patching for legacy systems) to prevent attackers](https://www.trendmicro.com/vinfo/us/security/news/security-technology/security-101-virtual-patching) from taking advantage of security gaps. Additional security mechanisms like [firewalls and](https://www.trendmicro.com/vinfo/us/security/news/security-technology/best-practices-deploying-an-effective-firewall) intrusion detection and prevention systems will help thwart suspicious network activities such as data exfiltration or C&C communication. ## Trend Micro Solutions Organizations can consider Trend Micro™ endpoint solutions such as [Trend Micro Smart Protection Suites and](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html?utm_campaign=VURL:www.trendmicro.com&utm_medium=VURL&utm_source=/us/enterprise/network-security/interscan-web-security/index.html) Worry-Free™ Business Security. Both solutions can protect users and businesses from threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. [Trend Micro Deep Discovery™ has an email inspection layer that](https://www.trendmicro.com/en_us/business/products/network/advanced-threat-protection.html) can protect enterprises by detecting malicious attachments and URLs. [Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection that](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/cloud-email-gateway-services.html) stops spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects [Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/cloud-app-security.html) For defending against malvertising campaigns in general, users can employ [Trend Micro™ Maximum Security, which protects](https://www.trendmicro.com/en_us/forHome/products/maximum-security.html) consumers via a multi-layered defense that delivers highly effective and efficient protection against ever-evolving threats. [Trend Micro™ Smart Protection Suites also protect businesses against these types of threats by providing threat](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) protection techniques designed to eliminate security gaps across multiple users and endpoints. You may read our in-depth analysis of Operation Overtrap in this [technical brief, which also contains details about possible](https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf) links to other phishing campaigns and the indicators of compromise. ### Related Posts: **[Latest Trickbot Campaign Delivered via Highly Obfuscated JS File](https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/)** **[New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse](https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-capesand-reuses-old-and-new-public-exploits-and-tools-blockchain-ruse/)** Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [banking malwarebanking TrojanBottle exploit kitBottleEKCinobiexploit kitOperation Overtrap](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/banking-malware/) -----  Recommend t Tweet f Share **Sort by Best** #### Start the discussion… **LOG IN WITH** **OR SIGN UP WITH DISQUS** Name Be the first to comment. ✉ **Subscribe** d **[Add Disqus to your siteAdd DisqusAdd](https://disqus.com/)** ⚠ **D** **[N t S ll M D t](https://disqus.com/data-sharing-settings/)** #### Security Predictions for 2020 Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats. [Read our security predictions for 2020.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2020) #### Business Process Compromise Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise. #### Recent Posts Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan [March Patch Tuesday: LNK, Microsoft Word Vulnerabilities Get Fixes](https://blog.trendmicro.com/trendlabs-security-intelligence/march-patch-tuesday-lnk-microsoft-word-vulnerabilities-get-fixes/) [Busting Ghostcat: An Analysis of the Apache Tomcat Vulnerability (CVE-2020-1938 and CNVD-2020-10487)](https://blog.trendmicro.com/trendlabs-security-intelligence/busting-ghostcat-an-analysis-of-the-apache-tomcat-vulnerability-cve-2020-1938-and-cnvd-2020-10487/) [Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks](https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/) [Security Risks in Online Coding Platforms](https://blog.trendmicro.com/trendlabs-security-intelligence/security-risks-in-online-coding-platforms/) #### Popular Posts [LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File](https://blog.trendmicro.com/trendlabs-security-intelligence/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file/) [Misconfigured Container Abused to Deliver Cryptocurrency-mining Malware](https://blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/) [Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks](https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/) ----- [Angler and Nuclear Exploit Kits Integrate Pawn Storm Flash Exploit](https://blog.trendmicro.com/trendlabs-security-intelligence/angler-and-nuclear-exploit-kits-integrate-pawn-storm-flash-exploit/) #### Stay Updated Email Subscription Your email here [Home and Home Office](http://www.trendmicro.com/us/home/index.html) | [For Business](http://www.trendmicro.com/us/business/index.html) | [Security Intelligence](http://www.trendmicro.com/us/security-intelligence/index.html) | [About Trend Micro](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia /](http://www.trendmicro.com.au/au/home/index.html) [New Zealand, 中国, ⽇本, 대한민국, 台灣](http://www.trendmicro.co.nz/nz/home/index.html) Latin America Region (LAR): [Brasil, México](http://br.trendmicro.com/br/home/index.html) North America Region (NABU): [United States, Canada](http://www.trendmicro.com/us/index.html) Europe, Middle East, & Africa Region (EMEA): [France, Deutschland / Österreich / Schweiz, Italia, Россия, España,](http://www.trendmicro.fr/) [United Kingdom / Ireland](http://www.trendmicro.co.uk/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2020 Trend Micro Incorporated. All rights reserved. Your email here Subscribe -----