Move the Mouse and You Could Have Your Banking Details Stolen

A Compromised Website Waits for User Interaction Before Sending Malware

Boxing fans from Russia got a nasty surprise a few weeks ago. They wanted to read the latest news about their favorite sport, but instead of this, they received a banking Trojan called Buhtrap which derives its name from "Buhgalter", the Russian word for "accountant" and "trap."

It all came from a boxing-related online portal called allboxing.ru. Using popular websites (at 3 million visitors per month, allboxing.ru is definitely popular) to infect innocent people with malware is nothing new. When they examined the malicious activity on allboxing.ru, however, researchers from ForcePoint found out that in this particular instance, the hackers have used some rather innovative techniques.

Threat actors compromised the website and injected their malicious code directly into a .js file operating the jQuery plugin, which shows that they really thought about avoiding early detection. They used boxing terms in the URL of the Command & Control server, which also helps keep suspicion at a minimum. What is more interesting, however, is the way the actual malware is activated.

The malware was programmed to track users' interaction with the website and to give them points. If you move the mouse, for example, you get 1 point; if you scroll down or up, you get 11 points; if you click on a link or a picture, you get 16 points. Once your score reaches 31, the malware will open a hidden iFrame which will execute a few PowerShell commands and will download a file called tysonfury.jpg from the threat actors' C&C. The file in question contains the actual banking Trojan.

Why did the hackers bother with the scoring system instead of infecting the users as soon as they open the website? It's a simple case of tracking user interaction where threat actors can make sure that there's an actual human being on the other side. This way the malware will not be triggered by an automated scanning analysis and will have the chance to remain inside the compromised website for longer.

On the bright side, the malicious code exploits an Internet Explorer vulnerability, which was stolen from the now-defunct Neutrino exploit kit. The security hole was patched up by Microsoft and people using recent versions of Internet Explorer should have no issues. Firefox and Chrome users are also safe.

Nevertheless, this particular attack shows that the threat actors are actively looking for more and more clever ways of conducting their illegal operations undetected.