A new social engineering-based malvertising campaign targeted at the Japanese market has been discovered, delivering a malicious application that install a banking trojan (Cinobi), on infected Windows devices in order to access cryptocurrency account credentials.
According to Trend Micro researchers Jaromir Horejsi and Joseph C Chen, the application poses as an animated porn game, a reward points application, or a video streaming application.
The operation is linked to a threat actor known as Water Kappa, which was previously discovered targeting Japanese online banking users with the Cinobi trojan by leveraging exploits in the Internet Explorer browser.
According to the researchers, the change in methods indicates that the malicious actor is targeting users of web browsers other than Internet Explorer.
Water Kappa’s latest infection routine starts with malvertisements for Japanese animated porn games, reward points apps, or video streaming services, with the landing pages urging the victim to download the application — a ZIP archive containing files from an older version of the “Logitech Capture” application from 2018, as well as modified files that are orchestrated to decrypt the victim’s data.
The trojan is designed to steal usernames and passwords for 11 Japanese financial institutions, three of which are active in cryptocurrency trading, in addition to geofencing access to the malvertisement sites from non-Japanese IP addresses.
Cinobi’s form-grabbing module is activated when a user visits one of the targeted websites, capturing the filled-in information in the login screens.
Water Kappa is still active, as evidenced by the new campaign, and is investing in improving its Cinobi virus to attack cryptocurrencies. Furthermore, it appears to have reduced its actions in order to improve its tools, demonstrating that this financially motivated actor has a well-thought-out strategy.
You might also like: