Binary Options malvertising scheme delivers Gozi-like banking trojan

April 21, 2017

A recently discovered malvertising campaign called Binary Options is redirecting internet users to a fake trading company webpage, before infecting some of these victims with a banking trojan via the RIG exploit kit.

According to a blog post from Malwarebytes, the malware appears to be an "ISFB" variant, putting it in the same family as the trojans Dreambot and Gozi. (The post notes that the malware shares certain key Dreambot attributes described in a previous Proofpoint report.) It includes some anti-virtualization features, performs browser injections, captures screenshots and video, and communicates with its command-and-control server via Tor.

The malvertising attack chain is initiated when a user visits a site compromised with malicious ads. These ads redirect the user to the decoy website, which mimics the web template from a binary options trading company called Capital World Option. The adversary behind this scheme actually created multiple doppelganger sites, using a similar naming convention for each, Malwarebytes reported.

The fake site performs an IP check that filters out unwanted IP addresses. Users who are rejected are not infected, and simply remain on the decoy website. Those who are approved for targeting don't actually see the website content because they are immediately passed on to a second-stage server that performs additional IP address filtering. Users who successfully pass through this additional filter are then passed on to the RIG exploit kit, which delivers the trojan.

Popads and PlugRush were among the compromised advertising networks that were detected in Malwarebytes' telemetry.

"Banking Trojans have been a little bit forgotten about these days as they are overshadowed by ransomware," states the blot post, written by Jerome Segura, lead malware intelligence analyst at Malwarebytes. "However, they still represent a significant threat and actually do operate safely in the shadows, manipulating banking portals to perform wire transfers unbeknownst to their victims or even the banks they are targeting."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

MDR

How two organizations beat the cyber insurance maze

Paul WagenseilDecember 23, 2024

Boosting digital protections can lead to reduced cybersecurity insurance premiums. Here’s how two firms achieved that after signing up with a managed detection and response (MDR) provider.

AI/ML

AI-fueled phishing, shadow AI, jailbreaks kept security pros busy in 2024

Laura FrenchDecember 23, 2024

Deepfakes, shadow AI and LLM misuse were growing concerns, while AI threat detection, malware analysis and vulnerability research showed promise for cyber defenders.

Cryptocurrency on Binance trading app, Bitcoin BTC with altcoin digital coin crypto currency, BNB, Ethereum, Dogecoin, Cardano, defi p2p decentralized fintech market

Threat Intelligence

Crypto heist proceeds exceed $2B amid more attacks

SC StaffDecember 20, 2024

While crypto platforms had already lost $1.5 billion during the first seven months of 2024, cryptocurrency heists have significantly dropped in frequency and size after separate intrusions against DMM Bitcoin and WazirX.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news