{
	"id": "c4d7363f-3639-4969-9e58-b4cc1d75ef21",
	"created_at": "2026-04-06T00:22:07.711387Z",
	"updated_at": "2026-04-10T03:23:51.068191Z",
	"deleted_at": null,
	"sha1_hash": "d70f06e6e35751bbde06f6cbf4216344b23df3b1",
	"title": "Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51544,
	"plain_text": "Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via\r\nMalvertising\r\nBy Joseph C Chen ( words)\r\nPublished: 2021-08-09 · Archived: 2026-04-05 22:35:29 UTC\r\nInfection Routine\r\nThe campaign’s infection routine begins when a user received malvertisements that are disguised as advertisements of either\r\nJapanese animated porn games, reward points applications, or video streaming applications. While we have observed five\r\ndifferent themes of their malvertisements, all of them attempt to trick victims into downloading the same archive with the\r\nsame malware.\r\nThese malvertisements are likely cloned from legitimate websites by the malicious actor. Minor modifications are then\r\napplied, such as the removal of some buttons and the changing of certain information sections. The only buttons that are left\r\nlead to the new page — created by the malicious actor — that instructs the victims how to download and execute the\r\napplication.\r\nAfter clicking on the button with the text “index.clientdownload.windows” (as shown in figure 2), the landing page starts\r\ndownloading the ZIP archive, which is followed by instructions for the victim on how to open, extract, and execute the main\r\nexecutable file. The other four malicious ads look visually different, but their behavior and landing page is similar.\r\nIt is important to note that the access to the website is filtered based on the IP address. Non-Japanese IP addresses will see\r\nthe following error message from Cloudflare.\r\nAnalysis of the malware\r\nAfter extracting the ZIP archive, we noticed the listing seen in Figure 5. The files that we decided were interesting enough to\r\nbe analyzed are marked in red.\r\nMost files are legitimate ones taken from an older version of the “Logitech Captureopen on a new tab” application, dated\r\n2018. The legitimate and signed LogiCapture.exe\r\n(08FB68EB741BF68F3CFC29A4AD3033D75AD57798ED826D926344015BDB8B0EBB) is instructed in\r\nLogiCapture.exe.config via custom application settingsopen on a new tab to load the Xjs.dll library. Xjs.dll loads the\r\nformat.cfg file, decrypts the shellcode, and executes it. \r\nThe shellcode embedded into format.cfg copies config.dll and cfg.config to the temporary directory %TEMP%, renames\r\nthese files to a.dll and 1.txt, and executes the export function named “a” of the a.dll library via the following command:\r\nrundll32.exe \"%TEMP%\\a.dll\",a %TEMP%\\1.txt\r\nConfig.dll (renamed to a.dll) resolves necessary APIs, loads the content of cfg.config (which is renamed to 1.txt), decrypts it\r\nwith a XOR key, and executes the shellcode. The decrypted cfg.config is the first stage of the Cinobi banking trojan (as\r\nexplained in our initial blogpostnews article from 2020).\r\nThe Cinobi banking trojan is split into four stages, with each stage downloading additional components and possibly\r\nperforming environment or anti-virtual machine (VM) checks. There are two command-and-control (C\u0026C) servers, with one\r\nof them returning stages 2 to 4, while the other one returns the configuration files.\r\nThe malicious actor became more active in summer 2021 — we noticed a few more versions with slight differences from the\r\nones described earlier. In addition to the application archive with four added malicious files (as shown in Figure 5), we also\r\nnotice a refactored version of the archive with just three files (xjs.dll, format.cfg, and a file named “ros”), only three stages,\r\nand a single C\u0026C server serving the configuration files.\r\nIn the refactored version, Xjs.dll decrypts and loads format.cfg, which is the first stage of the Cinobi banker. This stage,\r\nunlike our description from last year’s blog entry, does not download Tor and other additional stages from the first C\u0026C\r\nserver. Instead, it reads and extracts files from the file called “ros”, which is an encrypted package containing stages 2 and 3,\r\na configuration file containing the C\u0026C server, and an archive with Tor.\r\nThe most important of these is the configuration file containing websites targeted by the form-grabbing functionality. At the\r\ntime of writing, we noticed that the banking trojan targets users of 11 Japanese financial institutions, with at least three of\r\nthese involved in cryptocurrency trading.\r\nWhen a victim using an infected machine accesses one of the websites mentioned in the configuration file and sends the\r\nfilled-out form back to the server, the form-grabbing feature of the banker gets activated. In the following screenshots, we\r\nshow examples of login forms with filled data.\r\nhttps://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html\r\nPage 1 of 5\n\nAfter clicking the submit button, a text file with an encrypted request briefly appears in the folder with the installed banking\r\ntrojan. After the decryption of the temporary created text file, the highlighted stolen credentials can be seen.\r\nConclusion\r\nThe new malvertising campaign shows that Water Kappa is still active and continuously evolving their tools and techniques\r\nfor greater financial gain — this one also aims to steal cryptocurrency. In order to minimize the chances of being infected,\r\nusers need to be wary of suspicious advertisements on shady websites, and as much as possible, download applications only\r\nfrom trusted sources.\r\nTrend Micro solutions that offer a multilayered defense systemproducts can help organizations protect their employees from\r\nthese kinds of campaigns by detecting, scanning, and blocking malicious URLs.\r\nIndicators of Compromise\r\nThe complete indicators for this attack can also be found in this appendixopen on a new tab.\r\nSHA256 File name Note Analysis\r\n124FE26D53E2702B42AE07F8AEC5EE4E79E7424BCE6ECDA608536BBF0A7A2377 oneroom_setup.zip\r\nMalicious\r\ngame\r\narchive\r\nTrojan.Win32\r\nE667F9C109E20900CC8BADD09EDE6CDCE0BDC77164CFD035ACE95498E90D45E7 oneroom_game.zip\r\nMalicious\r\ngame\r\narchive\r\nTrojan.Win32\r\n93FFE7CF56FEB3FB541AEF91D3FC04A5CF22DF428DC0B7E5FEB8EDDDC2C72699 Magicalgirl.zip\r\nMalicious\r\ngame\r\narchive\r\nTrojan.Win32\r\nAD13BB18465D259ACC6E4CEBA24BEFF42D50843C8FD92633C569E493A075FDDC kiplayer.zip\r\nMalicious\r\nstreaming\r\narchive\r\n Trojan.Win32\r\nA9EF18B012BD20945BB3533DEEC69D82437BF0117F83B2E9F9E7FACC5AA81255 oneroom_game_v7.zip\r\nMalicious\r\ngame\r\narchive\r\nTrojan.Win32\r\n6C1F4FFA63EE7094573B0F6D1BD51255F603BC8958757405C8C998416537D587 Xjs.dll\r\nFirst\r\nshellcode\r\nloader\r\nTrojan.Win32\r\n1366E2AC6365E4B76595A19760438D876E01DB40C60EC3F42849F0218B724F1B Xjs.dll\r\nFirst\r\nshellcode\r\nloader\r\nTrojan.Win32\r\n0B3E5E2406490DF17A198A8340B103BB331A5277461234F3F90ED257E418C1F8 Xjs.dll\r\nFirst\r\nshellcode\r\nloader\r\nTrojan.Win32\r\n3E0FAEE93F6EF572537735C7F2D82D151C5A21EB30EACC576B3B66320C74FD34 format.cfg\r\nEncrypted\r\nshellcode\r\nTrojan.Win32\r\nhttps://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html\r\nPage 2 of 5\n\nDB6CBE4EE82F87008B34D1D4E9AA6EE3C9CCD21CB7A0B60925D5DA8D1295A269 format.cfg\r\nEncrypted\r\nshellcode\r\nTrojan.Win32\r\n3B7FB5EC8180AD74871EB9F5B59E6E98A188CE84BA3BD6ADD9B4BCFCCB80C137 format.cfg\r\nEncrypted\r\nshellcode\r\nTrojan.Win32\r\n52E2B9CBA4E1BEE1EB3ED9D03BC33EADB6C8D6AAC8598679AA95690E587BE7C4 config.dll\r\nCinobi\r\n1st stage\r\nloader;\r\n32bit\r\nTrojan.Win32\r\nF5AD9E32A84DF617ABA3786F19BA7DAB4B4BD8A27627232D3AACE760511AEDF7 config.dll\r\nCinobi\r\n1st stage\r\nloader;\r\n32bit\r\nTrojan.Win32\r\n45C7C36E7E8B832815D8B03651EDC14F864B52E1C599E5336A1AAA0BD47FF3E3 cfg.config\r\nEncrypted\r\n1st stage\r\nof Cinobi;\r\n32bit\r\n Trojan.Win32\r\n522C59BACE844A3D76B674842373DDBF959FC5B352317B024DBF225F536A641E cfg.config\r\nEncrypted\r\n1st stage\r\nof Cinobi;\r\n32bit\r\nTrojan.Win32\r\n16AB933AD01D73120EE5B764C12057FF7F6DC3063BBC377CDB87419A30532323 N/A\r\n2nd and\r\n3rd stage\r\nloader;\r\n32bit\r\nTrojan.Win32\r\n9D10AC2A2C7C58F1E1D4B745746AA5F0CE699C0DB87CCCA43418435FAA03AD1B N/A\r\n2nd stage\r\nencrypted;\r\n32bit\r\nTrojan.Win32\r\nC4039CD7DB24158BE51DA9010E6A367F5253F40F007B656407FB69D279732784 N/A\r\n3nd stage\r\nencrypted;\r\n32bit\r\nTrojan.Win32\r\n2A6FE431326ACCAF31EA7CA7CD1214AD5EFCA891619859BCF60671A62C8D81F4 N/A\r\nCinobi\r\n4th stage\r\n(last);\r\n32bit\r\nTrojanSpy.Wi\r\n258EDBBAC7E78B4F51433807B237FC0ED7F76031795EA48A4FEFB38949F9B3B6 N/A\r\n2nd and\r\n3rd stage\r\nloader;\r\n64bit\r\nTrojan.Win64\r\nA3010F206656752FAD70EF7637947933152E7ADC883B43D0832B2234C8E6F968 N/A\r\n2nd stage\r\nencrypted;\r\n64bit\r\nTrojan.Win64\r\nhttps://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html\r\nPage 3 of 5\n\nE037839A3DACC3153754A156136E9EAD2F4C52939FE869B3981C4BB5114202C8 N/A\r\n3rd stage\r\nencrypted;\r\n64bit\r\nTrojan.Win64\r\nF8B80978D4548139E824863DD661E40AF4C2523C3E93547E4F167A749E108280 N/A\r\nCinobi\r\n4th stage\r\n(last);\r\n64bit\r\nTrojanSpy.Wi\r\nB157BEAC5516D05A014527B3F0FE4B01683CAAC9FFF6608B67A8BA62DF5EF838 N/A\r\n2nd and\r\n3rd stage\r\nloader;\r\n32bit\r\n Trojan.Win32\r\n2384FDA35A293B5F5B32B09E8DC455E7CE40A92D25CD9BACEEAB494785426B46 N/A\r\n2nd stage\r\nencrypted;\r\n32bit\r\n Trojan.Win32\r\n9FF65052FE93A884D7BCE36E87F4DE104839F72F26AF66785B2D98EAB706C816 N/A\r\n3nd stage\r\nencrypted;\r\n32bit\r\nTrojan.Win32\r\n31C936D08E9BA8FDA86844F67363223BDB6A917F530571ABCB3F584874909FEA N/A\r\nCinobi\r\n4th stage\r\n(last);\r\n32bit\r\n TrojanSpy.W\r\n00F24AC0AD19DC3EE05A112F7650AABA16041020263EA851C90F3C0A61C7EC57 N/A\r\n2nd and\r\n3rd stage\r\nloader;\r\n64bit\r\nTrojan.Win64\r\nB0E5BB79CDFAD284D88BC26DB4289A51F114CC71C928E8A9951DC8C498A243B9 N/A\r\n2nd stage\r\nencrypted;\r\n64bit\r\nTrojan.Win64\r\n095E85EBE2155798FB3A5FBD57196CF377B56FB2176CFF3A776302DCB806237D N/A\r\n3rd stage\r\nencrypted;\r\n64bit\r\nTrojan.Win64\r\nB36BFF265EE47D31E4C70EE78BADCFCC0DE89643DA61C1BF16BA2D6F36A62936 N/A\r\nCinobi\r\n4th stage\r\n(last);\r\n64bit\r\nTrojanSpy.Wi\r\nE41AB2DE9CCFFE3AADDB32C224114D88D2E61C02D52F89829B544F49B672D74D N/A\r\n2nd stage\r\nloader;\r\n32bit\r\nTrojan.Win32\r\n59DF3B32A0D3FEFB15C6AAB7D9254E597484A486156CBC1F403A376A8A0C25FB N/A\r\n2nd stage\r\nencrypted;\r\n32bit\r\nTrojan.Win32\r\nhttps://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html\r\nPage 4 of 5\n\n043720F493CA7A2B2E18CCD7AEC8CB8D577F544AAE02975BFE313046E839F107 N/A\r\n2nd stage\r\nloader;\r\n64bit\r\nTrojan.Win64\r\n83F7D60D172628E421EF038566F449E8708573201C8F23398F0F06B5F33123DA N/A\r\n2nd stage\r\nencrypted;\r\n64bit\r\n Trojan.Win64\r\n58C60164AAA23777E5A8DBBA25C4466A5B1ECA54EF8CF02BA2CD1AB7084753BE N/A\r\nCinobi\r\n3rd stage\r\n(last);\r\n32bit\r\n TrojanSpy.W\r\nF3DA0C082EB271A2F0DD54F2A3260BFC02BDF311EBCB1C619D479FCBB1E9F6F5 N/A\r\nCinobi\r\n3rd stage\r\n(last);\r\n64bit\r\nTrojanSpy.Wi\r\nIP Address/Domain/URL Note\r\nwww[.]chirigame[.]com Malvertising domain\r\nwww[.]supapureigemu[.]com Malvertising domain\r\nwww[.]getkiplayer[.]com Malvertising domain\r\nwww[.]magicalgirlonlive[.]com Malvertising domain\r\na7q5adiilsjkujxk[.]onion Cinobi banker’s C\u0026C serving stages 2-4\r\n5lmt6t4kaymuwvm5[.]onion Cinobi banker’s C\u0026C serving configuration files\r\nSource: https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html\r\nhttps://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html"
	],
	"report_names": [
		"cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434927,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d70f06e6e35751bbde06f6cbf4216344b23df3b1.pdf",
		"text": "https://archive.orkl.eu/d70f06e6e35751bbde06f6cbf4216344b23df3b1.txt",
		"img": "https://archive.orkl.eu/d70f06e6e35751bbde06f6cbf4216344b23df3b1.jpg"
	}
}