Cinobi Banking Trojan

Cinobi Banking Trojan Description

Cinobi is a banking Trojan that is being deployed in attack campaigns against Japanese users. The researchers at Trend Micro named the first attack 'Operation Overtrap' and attributed it to a group they tracked under 'Water Kappa.' Back then the cybercriminals relied on spam email campaigns and the Bootle exploit kit to deliver the malware threat onto the targeted devices. After a period of intermittent activity, Water Kappa appears to be ramping up once more. The new attack shows a shift towards social engineering tactics to spread an evolved version of the Cinobi banking Trojan that now had several Japanese cryptocurrency websites added to the previous list of targeted banking institutions. 

Infection Techniques

The Water Kappa hackers have packaged the newer Cinobi banking Trojan versions inside a threatening application that is spread via fake malvertisements. Most likely, the cybercriminals took several legitimate advertisements and created their own imitations by removing or changing certain details, such as reducing the number of shown buttons on the ad. The fake advertisements then try to lure users by pretending to be offering Japanese animated porn games, reward points applications or video streaming applications. In all, five different themes have been observed by infosec researchers. All of the advertisements lead to the same corrupted archive carrying the Cinobi banking Trojan. It should be noted that access to the landing page for the ZIP archive is limited to only Japanese IP addresses. All others are shown an error message from Cloudflare. 

Multiple Cinobi Versions Detected

A couple of different versions of the threat have been discovered as part of the recent attack campaign. Their overall behavior and end goal have remained consistent and they all relied on sideloading vulnerabilities to load and initiate the Cinobi threat. The versions differ in the stages of their operation chain and the number of Command-and-Control (C2) servers set up for their operation. One goes through four stages, each delivering a new component and more than likely performing checks for signs of virtualization. This version has 2 C2 servers, one responsible for stages 2 and 4, while the other provides the configuration files. A refactored version of the threat instead goes through only 3 stages and is supported by a single C2 server.

The new Cinobi attack campaign illustrates once again how important it is for users to be cautious when surfing the web. Avoid engaging with suspicious ads and do not download files from unknown or questionable sources, if possible.