A new campaign now called “Operation Overtrap” is found infecting victims with its payload. Online Banking Users are being targeted Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan. The campaign mainly targets online users of various Japanese banks by stealing their banking credentials using a three-pronged attack. The campaign uses three different attack vectors to steal its victims’ banking credentials:
• By sending spam emails with a phishing link to a fake banking website
• By sending spam emails asking victims to execute a disguised malware’s executable downloaded from a linked phishing page.
• By using a custom exploit kit to deliver malware via malvertising
Below is the work flow of operation overtrap.
It exploits CVE-2018-15982, a Flash Player use after free vulnerability, as well as CVE-2018-8174, a VBScript remote code execution vulnerability. Victims will be infected with BottleEK’s payload if they access this particular exploit kit’s landing page with unpatched or outdated browsers.
Cinobi has two versions — the first one has a DLL library injection payload that compromises victims’ web browsers to perform form-grabbing. This Cinobi version can also modify web traffic sent to and received from targeted websites. Our investigation found that all the websites that this campaign targeted were those of Japan-based banks. Aside from form-grabbing, it also has a webinject function that allows cybercriminals the ability to modify accessed webpages. The second version has all the capabilities of the first one plus the ability to communicate with a command-and-control (C&C) server over the Tor proxy.