Chthonic banking Trojan spread by PayPal accounts

Criminals are using PayPal's money request notification emails to send the malware


PayPal emails have been spreading the Chthonic banking Trojan, research by Proofpoint has discovered.

Proofpoint uncovered emails with the PayPal "You've got a money request" subject line were being used by criminals to distribute the malware. However, rather than using fake emails that appear to be genuine, it seems the emails were sent using PayPal-registered accounts.

The criminals were able to send emails to other PayPal users via the money sending service, adding the malicious link in the personalised message.

The content of the email message explains that the victim's PayPal account has been used to defraud another PayPal user. However, the other PayPal user is actually the criminal, asking for a refund of the monies. Not only might the victim send a payment of the specified amount to the criminal, but they may also click on a malicious link in the same email, which claims to link through to evidence of the fraudulent transaction.

Advertisement - Article continues below
Advertisement - Article continues below

When a PayPal user clicks on the link, they are redirected to a malicious site, which downloads an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js to the user's system. If this is opened, it downloads an executable file from another site, which contians Chthonic, a variant of the Zeus banking Trojan.

What is concerning, Proofpoint explained, is that mail providers including Google failed to block the email, despite it obviously including a malicious link.

"Although the scale of this campaign appeared to be relatively small (this particular example was only detected through one of our spamtraps; as of the writing of this blog, the malicious link has only been clicked 27 times according to Google Analytics for the URL shortener), the technique is both interesting and troubling," Proofpoint said in a blog post.

"For users without anti-malware services that can detect compromised links in emails and/or phone homes to a C&C, the potential impact is high. At the same time, the combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source creates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload."

In a statement, PayPal said: "Security is a top priority for our company. Based on information we received regarding a possible way to use our request money feature to send spoof or phishing emails, we put additional security protocols in place to safeguard our customers. These protocols recently identified some anomalous usage of this feature and we are aware that attempts were made to use the request money feature to distribute malware to a small number of our customers.

"We have put measures in place in an effort to prevent the misuse of this feature. We are continuing to carefully monitor the situation and will reach out to any impacted customers."

Advertisement - Article continues below

This story was originally published on 28 July 2016 and has since been updated to include comments from PayPal

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020