Chthonic banking Trojan spread by PayPal accounts

PayPal emails have been spreading the Chthonic banking Trojan, research by Proofpoint has discovered.

Proofpoint uncovered emails with the PayPal "You've got a money request" subject line were being used by criminals to distribute the malware. However, rather than using fake emails that appear to be genuine, it seems the emails were sent using PayPal-registered accounts.

The criminals were able to send emails to other PayPal users via the money sending service, adding the malicious link in the personalised message.

The content of the email message explains that the victim's PayPal account has been used to defraud another PayPal user. However, the other PayPal user is actually the criminal, asking for a refund of the monies. Not only might the victim send a payment of the specified amount to the criminal, but they may also click on a malicious link in the same email, which claims to link through to evidence of the fraudulent transaction.

When a PayPal user clicks on the link, they are redirected to a malicious site, which downloads an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js to the user's system. If this is opened, it downloads an executable file from another site, which contians Chthonic, a variant of the Zeus banking Trojan.

What is concerning, Proofpoint explained, is that mail providers including Google failed to block the email, despite it obviously including a malicious link.

"Although the scale of this campaign appeared to be relatively small (this particular example was only detected through one of our spamtraps; as of the writing of this blog, the malicious link has only been clicked 27 times according to Google Analytics for the URL shortener), the technique is both interesting and troubling," Proofpoint said in a blog post.

"For users without anti-malware services that can detect compromised links in emails and/or phone homes to a C&C, the potential impact is high. At the same time, the combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source creates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload."

In a statement, PayPal said: "Security is a top priority for our company. Based on information we received regarding a possible way to use our request money feature to send spoof or phishing emails, we put additional security protocols in place to safeguard our customers. These protocols recently identified some anomalous usage of this feature and we are aware that attempts were made to use the request money feature to distribute malware to a small number of our customers.

"We have put measures in place in an effort to prevent the misuse of this feature. We are continuing to carefully monitor the situation and will reach out to any impacted customers."

This story was originally published on 28 July 2016 and has since been updated to include comments from PayPal