Banking Trojan Spreading Through Adult Websites

Banking trojan are spreading through adult websites, banking trojan named as the Win32/Aibatook. Win32/Aibatook is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

The number of victims affected and the amount of funds withdrawn from bank accounts due to compromises is increasing at an alarming rate. 

According to the Japanese National Police Agency, the number of reported illegal Internet banking withdrawals jumped from 64 incidents in 2012 to 1,315 incidents in 2013. 

The loss in savings amounted to approximately 1.4 billion yen (US$ 14 million) in 2013, up from 48 million yen (US$ 480,000) in 2012.

The trojan collects sensitive information when the user browses certain web sites. The trojan collects passwords used to access the following site:

http://www.jp-bank.japanpost.jp/
http://netbk.co.jp/

The following programs are affected:

Internet Explorer

The trojan attempts to send gathered information to a remote machine. This trojan is usually found under %startup% folder and csmss.exe filename is used.

In this case, the CVE-2014-0322 exploit code was used to download and execute bitcoin miner software called jhProtominer on the victim’s computer in order to abuse the computer’s hardware to mine for the virtual coin. 

The attacker appears to be motivated enough to target different audiences across borders and is looking for any type of opportunity to make a profit.

Banking Trojan works like this:

1. The attacker compromises a legitimate website to host exploit code on the site in order to infect visitors’ computers.
2. If someone with a computer vulnerable to the exploit visits the site, the system becomes infected with Infostealer.Bankeiya.
3. The malware uploads details about the compromised computer including the IP address, Mac address, OS version, and the name of security software installed.
4. The malware downloads encrypted configuration data which specifies the location of its updated version from either:
   1. A profile on a blog page solely created to host the encrypted data
   2. A specified URL on a compromised website
5. If an update is found, the malware will download the new version and replace itself with it. This version may contain information about the location of a new command-and-control (C&C) server.
6. If a victim logs onto  the targeted bank’s online site, the malware will display a fake pop-up window in order trick the victim into entering banking details.
7. The banking details entered by the victim will be sent to the C&C server and stored for the attacker to retrieve.

Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter