A new campaign dubbed ‘Operation Overtrap’ has been found stealing banking credentials from Japanese banking users. The campaign is active since April 2019 and uses three different attack vectors to spread the Bottle exploit kit and a brand-new Cinobi banking trojan.
What are the modes of propagation?
According to Trend Micro’s
analysis, the campaign’s attack vectors include:
- Spam emails that include a phishing link disguised as a banking website;
- Spam emails that prompt victims to run a disguised malware’s executable downloaded from a linked phishing page;
- Using a custom exploit to deliver malware via malvertising.
About Bottle Exploit Kit
The Bottle exploit kit was first noticed to be a part of the campaign in September 2019. Threat actors behind the campaign used a Japan-targeted malvertising campaign to push this exploit kit.
It exploited a Flash Player use after vulnerability (CVE-2018-15982) as well as a VBScript remote code execution vulnerability (CVE-2018-8174) to launch the new Cinobi trojan.
About Cinobi trojan
Trend Micro’s analysis reveals that Cinobi trojan has two versions:
- The first one has a DLL library injection payload that compromises victims’ web browsers to perform form-grabbing. This version can also modify web traffic sent to and received from targeted websites.
- The second version has a web inject function that allows cybercriminals to modify accessed webpages. This version has all the capabilities of the first one plus the ability to communicate with a C2 server over the Tor proxy.
Bottom line
Operation Overtrap campaign uses a variety of attack vectors to steal banking credentials. Therefore, users and organizations need to adopt best practices to protect their systems against phishing attacks and malicious advertisements.