# Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan Technical Brief _By Jaromir Horejsi and Joseph C. Chen (Threat Researchers)_ ----- We recently discovered a new campaign that we dubbed “Operation Overtrap” for the numerous ways it can infect or trap victims with its payload. The campaign mainly targets online users of various Japanese banks by stealing their banking credentials using a three-pronged attack. Based on our telemetry, Operation Overtrap has been active since April 2019 and has been solely targeting online banking users located in Japan. Our analysis shows that this campaign uses three different attack vectors to steal its victims’ banking credentials: - By sending spam emails with a phishing link to a page disguised as a banking website - By sending spam emails asking victims to execute a disguised malware’s executable downloaded from a linked phishing page. - By using a custom exploit kit to deliver malware via malvertising Figure 1. Operation Overtrap three-pronged attack flow ## Technical Analysis ### Discovering Operation Overtrap We first discovered the campaign in September 2019 using a then-unidentified exploit kit. Based on our data, Operation Overtrap has been using spam emails to deliver its payload to victims as early as April 2019. In mid-September, we observed a significant number of victims being redirected to the exploit kit, which targeted Internet Explorer, after they have clicked on links from social ----- media platforms. It should be noted, however, that the way the victims received the links has not been identified. It is also worth mentioning that Operation Overtrap only seems to target Japanese online banking users; it redirects victims with different geolocations to a fake online shop. Our analysis revealed that the exploit kit only dropped a clean binary that does not perform malicious activities on a victim’s device. It also immediately closes after infection. It is still unclear why the threat actors behind Operation Overtrap initially delivered a clean binary file; it’s possible that they were testing their custom exploit kit during this stage of the campaign’s development. Figure 2. A screengrab that shows exploit kit network traffic in September 2019 Figure 3. A screengrab that features a clean file dropped by Operation Overtrap’s exploit kit ### Operation Overtrap’s Custom Exploit Kit: Bottle Exploit Kit On September 29, 2019, we observed that the exploit kit ceased to drop a clean file, and instead, delivered a brand-new banking trojan that we dubbed “Cinobi.” We also noted that the threat actors behind Operation Overtrap have stopped redirecting victims from social media and began to use a Japan-targeted malvertising campaign to push their custom exploit kit. Another researcher later discovered the custom exploit kit, which was named the Bottle Exploit Kit (BottleEK). It exploits CVE-2018-15982, a Flash Player use after free vulnerability, as well as CVE-2018-8174, a VBScript remote code execution vulnerability. Victims will be infected with BottleEK’s payload if they access this ----- particular exploit kit’s landing page with unpatched or outdated browsers. Our telemetry shows that BottleEK was the most active exploit kit detected in Japan in February 2020. Figure 4. Exploit kit activity observed in Japan on February 2020 (Data obtained from Trend Micro Smart Protection Network™) BottleEK performs the following steps during the compromise of an infected machine: 1. Check if the browser cookie “username” has been set. If it’s set, it will not perform any action. Otherwise, it will set a “username” cookie with the value “bingv” and continue the infection. This step aims to filter out victims who have been previously attacked to prevent a double infection. Figure 5. Screengrab of code showing the BottleEK script verifying browser cookie information 2. Check if the browser is Internet Explorer and if the browser language is set to Japanese. If not, it will stop the infection. ----- Figure 6. Screengrab of code showing the BottleEK script checking the infected device’s browser language and browser version 3. Check the version of Internet Explorer, Adobe Flash Player, and the architecture of the infected machine. It then sends the gathered information with an Ajax request to the exploit kit hosting server in this format: “/conn.php?callback=?data1={Internet Explorer version}&data2={64 bits or 32 bits architecture}&data3={Adobe Flash Player version}”. Figure 7. Screengrab of the BottleEK script sending information of the victim machine and loading the corresponding exploit 4. Based on the information received by the exploit kit server, it will return the location of different exploit codes and instruct the browser to load them accordingly. The exploits used by BottleEK include CVE-2018-15982, an Adobe Flash exploit, and CVE-2018-8174, a VBScript engine exploit. 5. After successful exploitation, it will load the malware from the URL “/conn[.]php?ge=1” and execute it. It is worth noting that if the cookie “username” set during the first step is not present during the request to load the exploit, the ----- exploit kit server will return an empty response. This is an anti-crawl feature that prevents web crawlers from directly grabbing the campaign’s payloads. An analysis of the shellcodes embedded and executed by the exploits reveals the use of Metasploit encoders. In the case of 32-bit shellcode, we observed the use of the Shikata Ga Nai encoder. Meanwhile, the 64-bit shellcode uses XOR dynamic encoder. Figure 8. Screengrab of shellcode encoded with the “Shikata Ga Nai” encoder Figure 9. Screengrab of shellcode encoded with the XOR dynamic” encoder Figure 10. Screengrab showing the Flash exploit containing both 32-bit and 64-bit shellcodes in one exploit file ----- ### Brand-new banking malware: Cinobi Operation Overtrap used a new banking malware we’ve decided to call Cinobi. Based on our analysis, Cinobi has two versions — the first one has a DLL library injection payload that compromises victims’ web browsers to perform form-grabbing. This Cinobi version can also modify web traffic sent to and received from targeted websites. Our investigation found that all the websites that this campaign targeted were those of Japan-based banks. Aside from form-grabbing, it also has a webinject function that allows cybercriminals the ability to modify accessed webpages. The second version has all the capabilities of the first one plus the ability to communicate with a command-and-control (C&C) server over the Tor proxy. ### Cinobi’s four stages of infection Each of Cinobi’s four stages contains an encrypted position-independent shellcode that makes analysis slightly more complicated. Each stage is downloaded from a C&C server after certain conditions have been met. ##### First stage The first stage of Cinobi’s infection chain, which has also been analyzed by another cybersecurity researcher, starts by calling the “GetUserDefaultUILanguages” function to check if the infected device’s local settings are set to Japanese. Figure 5. Screengrab of Cinobi’s check to determine the device’s language settings using “GetUserDefaultUILanguages” Cinobi will then download legitimate unzip.exe and Tor applications from the following locations: - ftp://ftp[.]cadwork.ch/DVD_V20/cadwork.dir/COM/unzip[.]exe - https://archive[.]torproject[.]org/tor-package-archive/torbrowser/8.0.8/tor win32-0.3.5.8[.]zip After extracting the Tor archive into the “\AppData\LocalLow\” directory, Cinobi will rename tor.exe to taskhost.exe and execute it. It will also run tor.exe with custom torrc file settings. ----- - "C:\Users\\AppData\LocalLow\\Tor\taskhost.exe" –f - "C:\Users\\AppData\LocalLow\\torrc" It will download the second stage of the malware payload from a .onion C&C address and save it in a randomly named .DLL file within the “\AppData\LocalLow\” folder. The filename of the first stage downloader is saved into a .JPG file with a random name. Figure 6. Screengrab of .JPG file that contains the filename of the first stage downloader After this, Cinobi will run the second stage of its downloader on the victim’s machine. Figure 7. Screengrab of code showing Cinobi running the second stage of its downloader on the victim’s machine #### Second stage Cinobi will connect to its C&C server to download and decrypt the file for the third stage of its infection chain. We observed that the filename of the third stage starts with the letter C, followed by random characters. Afterward, it will download and decrypt the file for the fourth stage, which has a filename that starts with the letter A, followed by random characters. After these, Cinobi will download and decrypt a config file (.txt) that contains a new C&C address. Cinobi uses RC4 encryption with a hardcoded key. Figure 8. Screengrab of code showing Cinobi’s decoded config file ----- Next, Cinobi will run the downloaded third stage infection file using the UAC bypass method via the CMSTPLUA COM interface. #### Third stage During the third infection stage, Cinobi will copy malware files from “\AppData\LocalLow\” to the “%PUBLIC%” folder. It will then install the fourth stage of the downloader (which was downloaded during the second stage) as Winsock Layered Service Provider (WSCInstallProviderAndChains). Figure 9. Screengrab of code showing the installation of the infection’s fourth stage on the victim machine as “WSCInstallProviderAndChains” Cinobi will then perform the following actions: - Change spooler service config to “SERVICE_AUTO_START” - Disable the following services: ``` o UsoSvc o Wuauserv o WaaSMedicSvc o SecurityHealthService o DisableAntiSpyware ``` - Copy and extract Tor files to “%PUBLIC%” folder - Rename tor.exe to taskhost.exe - Create torrc in “%PUBLIC%” with the content “DataDirectory C:\Users\Public\\data\tor” - Create .JPG file with the original dropper name - Remove files from “\AppData\LocalLow\” and remove the original dropper file #### Fourth stage Cinobi will call the WSCEnumProtocols function to retrieve information about available transport protocols. It will also call the **WSCGetProviderPath function to retrieve the** DLL path of the original transport provider. This function is called twice. The first call will return the malicious provider (as the fourth stage of the malware has already been ----- installed during the third stage of infection). The second call will return the original transport provider (“%SystemRoot%\system32\mswsock.dll”) and resolve and call its WSPStartup function. Cinobi will then check the name of the process in which the malicious DLL provider gets injected. In practice, Cinobi should be injected into all processes that make network connections using Windows sockets. Figure 10. Screengrab of processes where the malicious DLL provider has been injected Cinobi banker’s functionality depends on the process in which it has been loaded: |Process Name|Functionalities| |---|---| |chrome.exe|• Hooks Chrome APIs handling SSL functionality| |firefox.exe|• Hooks APIs (nss3.dll, nspr4.dll; PR_OpenTCPSocket, PR_Close, PR_Read, PR_Write, PR_GetNameForIdentity, PR_SetError)| |iexplore.exe|• Hooks Internet Explorer APIs handling SSL functionality| |lsass.exe|• The same functionalities as spoolsv.exe, except that it doesn’t write default config files and disable wuauserv| |spoolsv.exe|• Creates a thread that writes a .cfg file containing an| ----- |Col1|environment hash (unique identifier of victim machine) • Creates a thread that disables Google Chrome Auto Updates, reads .wmv config file that links to an archive with an installer of an older version of Chrome 53. This thread downloads and installs this old Chrome version and modifies .lnk files for the Google Chrome browser • Creates a thread that modifies Firefox's profiles.ini • Modifies IE settings • Writes all other default config files with various file extensions (.txt, .bmp, .png, .wmv) • Runs thread which regularly attempts to close the wuauserv service| |---|---| Cinobi exits if it is injected into any of the following antivirus processes: - ahnlab - avast - avg - avira - bitdefender - comodo - doctor web - drweb - Fortinet - f-secure - g data - Kaspersky - mcafee - norton - smartscreen.exe - sophos - trend - windows defender ----- ### Cinobi’s Dropped Configuration files Cinobi drops various configuration files while running though all four stages of infection. All these files have different extensions and are encrypted with the same hardcoded RC4 key. We have decrypted the configuration files and analyzed them below: - **.bmp contains a list of targeted financial institutions.** - **.cfg contains an environment hash, which is a unique identifier** for a victim machine. - **.png contains web injects. As seen from screenshot below, the** file only contains “localhost” with a random string. This may indicate that the threat actor does not need to use web injects at all. - **.txt contains a list of C&C servers.** - **.wmv contains a link for downloading an older Google Chrome** version (Chrome 53) because, as mentioned in this paper, this particular version of Google Chrome uses a “completely different virtual method table” to search for SSL functions to hook. It seems that the attackers have yet to develop a working method for hooking newer Chrome SSL functions. ----- ### Running Cinobi banking Trojan To fully analyze the Cinobi banking Trojan, we ran it on a testing machine. In order to run Cinobi, the machine’s system must be set to Japanese locale or, to bypass the locale check, patch the downloader from the first stage of the infection. #### Testing web injects Even though web injects were not used in this campaign, we tested the web injects by running a simple webserver with a website containing the keyword “opqrst.” According to the dropped configuration settings, “opqrst” should be appended with the keyword “aaaaaaa” on an infected machine. - To do this test, we first ran an HTTP server using the Python SimpleHTTPServer module. - We then created the “index.html” webpage with the following content: - We opened localhost on the web browser and found seven consecutive letter As injected after each “opqrst” keyword. This proves that the web injects work. ----- #### Testing the form-grabbing feature To test Cinobi’s form-grabbing feature, we loaded a website belonging to one of the targeted financial institutions and attempted to input data into one of its HTML forms to see what happens when the form is submitted. - We proceeded to enter random digits (we used 7777, 8888, and 99999) on one of the HTML forms, . - Soon after, we observed the creation of a randomly named .txt file with content that was encrypted with the same RC4 password as the other configuration files. After decrypting the .txt file, it revealed the decrypted HTTPS request. The userentered data is shown below, in red. This .txt file is submitted to the banking trojan’s C&C server. ----- ### Connections to previous phishing attacks Although we have identified that the Cinobi banking trojan is mainly being dropped by the Bottle exploit kit, we have also observed similar samples being distributed in the wild since April 2019. These samples look almost similar to the Cinobi banking trojan, but without the ability to download, install, and communicate over the Tor proxy. We suspect that these samples were the earlier version of Cinobi (marked as Cinobi V1) and the one with the Tor functionality we received from BottleEK is the second version (marked as Cinobi V2). Another connection relates to the domain used by Cinobi V1’s C&C server (cionx[.]inteleksys[.]com), which has the same base domain as the server of Bottle exploit kit (sales[.]inteleksys[.]com). We noticed that the campaign reuses the domain inteleksys[.]com but uses different subdomains. It is worth noting that the domain was used to host a legitimate website, but after its registration expired, cybercriminals reregistered it and started using it for malicious purposes. It is also possible that the originally legitimate domain is included in cybersecurity solutions’ whitelists. During the investigation of Cinobi V1, we found that the malware was not distributed via exploit kit, but was distributed with a phishing page sent via spam email. The phishing page was disguised as an office bank website asking victims to install a new certificate to enhance security measures. However, the link to the certificate file is Cinobi V1’s loader. The Cinobi V1 phishing page could also be found via several domains that use typosquatting techniques to fool internet users who mistype domains belonging to legitimate Japanese banks on their internet browsers. ----- Figure 11. Example of a phishing page that contains the Cinobi V1 loader (Screenshot from urlscan.io) When we checked the domains linking these phishing pages, we found that one of the IP addresses, 118[.]27[.]34[.]110, was associated with other phishing domains and overlapped with another domain, “ts3cardd[.com],” which was used in a phishing attack delivered via spam email, according to an alert issued by one of the targeted banks. We also learned that the registration information of a phishing domain used to deliver Cinobi V1 overlapped with several domains hosting Amazon-themed phishing sites. These connections show that this campaign might also employ typical phishing attacks to grab credentials from unsuspecting victims. ----- Figure 12. Domain registration information overlap between the phishing site (japanp0st.jp) delivering Cinobi V1 and an Amazon-themed phishing site (safetb amazon[.]jp). Note: The profile used in the domain information is fake ## Best practices against spam and vulnerabilities Operation Overtrap uses a variety of attack vectors to steal banking credentials. Users and organizations need to adopt best practices to ensure that their systems are protected against messaging-related threats as well as falling prey to malicious advertisements. An example of a best practice an organization must have is having a central point for reporting suspicious emails. Organizations, through their IT teams, need to have a centralized information gathering system. For this to be effective, all employees must be aware of the reporting procedure for suspicious emails. Meanwhile, to avoid malicious advertisements, users should be wary of clicking suspicious links or pop-ups and make sure to actively update software via official channels only. Organizations will greatly benefit from regularly updating systems (or use virtual patching for legacy systems) to prevent attackers from taking advantage of security gaps. Additional security mechanisms like enabling firewalls and intrusion detection and prevention systems will help thwart suspicious network activities that may indicate red flags like data exfiltration or C&C communication. ### Trend Micro Solutions Organizations can consider Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security. Both solutions can protect users and businesses from threats by detecting malicious files and spammed ----- messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs. Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection that stops spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and onpremises email solutions. For defending against malvertising campaigns in general, users can employ Trend Micro™ Maximum Security, which protects consumers via a multi-layered defense that delivers highly effective and efficient protection against ever-evolving threats. Trend Micro™ Smart Protection Suites also protect businesses against these types of threats by providing threat protection techniques designed to eliminate security gaps across multiple users and endpoints. ----- #### MITRE Att&ck Matrix ----- Afoepcyof.dll Cinobi V2 hash (Stage 4 DLL) |Indicators of Compromise (IoCs)|Col2|Col3|Col4| |---|---|---|---| |SHA-256|Trend Micro Detection Name|Filename|Description| |7f505a1064ea09daba577aa553efbf3385c890ab5aac2ace6ef3e927f480fb87|Trojan.VBS.CVE20188174.AMT|vbs.vbs|CVE-2018- 8174 used by BottleEK| |96e91a1f656fb70339f8f4e383e7f967d25c1a414f436ddffc692518ace579ad|Trojan.SWF.CVE201815982.AK|swf.swf|CVE-2018- 15982 used by BottleEK| |01bf58c650b6ba30733c14026fcff4ecfc24becdd05637a84ef2a7e86aff3fe0|TrojanSpy.Win32.CINOBI.A|EVSSL.exe|Cinobi V1 hash| |ed7b5c16cb5c4f56b3ded279688b693ec52389cacc0b81e940b0591b7f68aa84|TrojanSpy.Win32.CINOBI.A|N/A|Cinobi V2 hash| |914eb64b93cbb631c710ef6cbd0f9cedf93415be421ccc6e285b288b87f3a246|TrojanSpy.Win32.CINOBI.A|N/A|| |c1b67a30119107365c4a311479794e07afb631980a649749501cb9f511fb0ab4|TrojanSpy.Win32.CINOBI.A|N/A|| |a9ea7e952ce38bf8bc14114325ca2a1bfed16f63798028565a669808b8b728dc|TrojanSpy.Win32.CINOBI.A|N/A|| |14842334ac730f417f2730dec9898491575341da3721584a49d44fbf02f1fa6a|TrojanSpy.Win32.CINOBI.A|foepcyof.dll|Cinobi V2 hash (Stage 2 DLL)| |b1d30ee17a4d1fae263ea0ca696765d2f48b727c9953009c079ed2cb3ee15ab9|TrojanSpy.Win32.CINOBI.A|Cfoepcyof.dll|Cinobi V2 hash (Stage 3 DLL)| |db1e379c66c41debf58062e0865527a8a5bd7b37b5f43e06c80540a47ac7f5a4|TrojanSpy.Win32.CINOBI.A|Afoepcyof.dll|Cinobi V2 hash (Stage 4 DLL)| |Domain|Description| |---|---| |shop[.]inteleksys[.]com|Bottle exploit kit domain| |view[.]inteleksys[.]com|| |priv[.]inteleksys[.]com|| |sales[.]inteleksys[.]com|| |xizr[.]inteleksys[.]com|| |byte[.]inteleksys[.]com|| |cionx[.]inteleksys[.]com|Cinobi V1 C&C domain| |5frjkvw2w3wv6dnv[.]onion|Cinobi V2 C&C Tor domain| |4w6ylniamu6x7e3a[.]onion|| |bank-japanpostpo[.]jp|Phishing domain delivering Cinobi V1| |bank-japanpost[.]com|| |bank-japanposst[.]jp|| ----- |bank-japanpostjp[.]com|Col2| |---|---| |jp-bank-japanossts[.]jp|| |jp-bamk[.]jp|| |japanp0st[.]jp|| |ts3cardd[.]com|Phishing domain linked to Operation Overtrap| |security-amazon[.]jp|| |safety-amazon[.]jp|| |safetb-amazon[.]jp|| **TREND MICRO[TM] RESEARCH** Trend Micro, a global leader in cybersecurity, helps to make the world safe for exchanging digital information. Trend Micro Research is powered by experts who are passionate about discovering new threats, sharing key insights, and supporting efforts to stop cybercriminals. Our global team helps identify millions of threats daily, leads the industry in vulnerability disclosures, and publishes innovative research on new threats techniques. We continually work to anticipate new threats and deliver thought-provoking research. **www.trendmicro.com** -----