Chthonic banking Trojan spread by PayPal accounts

Criminals are using PayPal's money request notification emails to send the malware


PayPal emails have been spreading the Chthonic banking Trojan, research by Proofpoint has discovered.

Proofpoint uncovered emails with the PayPal "You've got a money request" subject line were being used by criminals to distribute the malware. However, rather than using fake emails that appear to be genuine, it seems the emails were sent using PayPal-registered accounts.

Advertisement - Article continues below

The criminals were able to send emails to other PayPal users via the money sending service, adding the malicious link in the personalised message.

The content of the email message explains that the victim's PayPal account has been used to defraud another PayPal user. However, the other PayPal user is actually the criminal, asking for a refund of the monies. Not only might the victim send a payment of the specified amount to the criminal, but they may also click on a malicious link in the same email, which claims to link through to evidence of the fraudulent transaction.

When a PayPal user clicks on the link, they are redirected to a malicious site, which downloads an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js to the user's system. If this is opened, it downloads an executable file from another site, which contians Chthonic, a variant of the Zeus banking Trojan.

Advertisement - Article continues below

What is concerning, Proofpoint explained, is that mail providers including Google failed to block the email, despite it obviously including a malicious link.

Advertisement - Article continues below

"Although the scale of this campaign appeared to be relatively small (this particular example was only detected through one of our spamtraps; as of the writing of this blog, the malicious link has only been clicked 27 times according to Google Analytics for the URL shortener), the technique is both interesting and troubling," Proofpoint said in a blog post.

"For users without anti-malware services that can detect compromised links in emails and/or phone homes to a C&C, the potential impact is high. At the same time, the combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source creates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload."

In a statement, PayPal said: "Security is a top priority for our company. Based on information we received regarding a possible way to use our request money feature to send spoof or phishing emails, we put additional security protocols in place to safeguard our customers. These protocols recently identified some anomalous usage of this feature and we are aware that attempts were made to use the request money feature to distribute malware to a small number of our customers.

Advertisement - Article continues below

"We have put measures in place in an effort to prevent the misuse of this feature. We are continuing to carefully monitor the situation and will reach out to any impacted customers."

This story was originally published on 28 July 2016 and has since been updated to include comments from PayPal

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020
Policy & legislation

UK gov buys "wrong" satellites in £500m blunder

29 Jun 2020