Trojans Exploit Pinterest as C&C to Target South Korean Banks

Security researchers of security firm Trend Micro had discovered that a number of banking trojans were specially targeting South Korean financial institutes and these trojans employ Pinterest to converse with command-and control and also to redirect users to spoofed websites containing malicious payload.

Some of the monetary institutes victimized by these attacks include: Nonghyup Bank, Hana Bank, Shinhan Bank, Kookmin Bank, Woori Bank, the Industrial Bank of Korea (IBK) and the Consumer Finance Service Center.

The criminals can steal banking credentials of a customer as and when he/she is infected with malicious software and redirected to a phishing website which looks like a genuine website of the bank. But, this is the primary time that a Trojan has been detected to employ Pinterest to distribute itself.

Trend Micro has discovered Trojan in this attack which is dubbed as TSPY_BANKER.YYSI and it is distributed to the victim via an exploit kit delivered through an iframe tag injected into a compromised genuine website which then redirects to another hijacked location which hosts the web-based attacking tool.

Softpedia.com published news during third week of December 2014 quoting Joseph Chen, Fraud Researcher of Trend Micro, as saying "Once this malicious software is infected in a system, users accessing certain banking websites with Internet Explorer are automatically redirected to a maligned site which contains a phishing webpage and the page asks Internauts to provide their banking details."

He pinpoints that the assault is effective only if users use Internet Explorer for Internet banking transactions.

To direct the victims to fake versions of websites, the authors of the attack customized them to decode the leftover messages on Pinterest and the IPs are available under the format 104A149B245C120D where every letter represents the dot in the address.

The security firm analyzed one of the attacks and found that attackers leveraged exploits for two fixed Internet Explorer flaws such as CVE-2013-2551 and CVE-2014-0322 to distribute the malware. The exploit code is heavily complicated but researchers are sure that it is identical to Sweet Orange, an exploit kit which has been used in many operations in the past.

» SPAMfighter News - 1/6/2015