Trend Micro detailed a new social engineering malvertising campaign designed to infect Japan users with a malicious application disguised as a free porn game, a reward points application, or a video streaming app.
The application uses a sideloading technique to show the victim arbitrary web pages and ultimately install Cinobi banking trojan. Researchers say the attacks share much in common with Water Kappa’s campaign they detailed earlier, but consider it to be a separate operation. The campaign’s configuration remained the same, except that it targets a list of cryptocurrency exchange websites.
The campaign’s infection begins when a user receives malvertisements that used five different themes. The ads tricked victims into downloading the same archive with the malware files. After the victim clicks the download button (“index.clientdownload.windows”), the site downloads the ZIP archive for the main executable file.
Researchers noted that if the website is hosted on a non-Japanese IP address, the victim will get an error message from Cloudflare and the attack will terminate.
The Cinobi trojan banking is divided into four stages that download additional components and possibly perform other tasks like anti-virtual machine (VM) checks.
According to Trend Micro, the malicious actor became more active in summer 2021. Researchers observed a few more versions with slight differences. Besides the archive with four malicious files, it also saw a refactored version with just three files.
The most important is the configuration file responsible for the form-grabbing functionality. The banking trojan has been spotted targeting users of 11 Japanese financial institutions, including banks and cryptocurrency trading firms.
The new malvertising campaign showed that Water Kappa is moving into the cryptocurrency space and constantly updates its tools and techniques in order to improve their financial gain.
To avoid getting infected, Trend Micro recommends being extra cautious of suspicious advertisements and download only legitimate applications from trusted sources.