Compromised Japanese porn websites distribute banking trojan

Share this article:
Pwnium 4 prizes aimed at Chrome OS hacks
Aibatook only targets Japanese companies, but the malware can easily be repurposed for use in the U.S.

Attackers have compromised popular Japanese adult websites in order to distribute a trojan that is primarily targeting customers of two major banks in the country; however, the malware could easily be repurposed for use in the U.S., according to researchers with ESET.

The Aibatook trojan is capable of constantly monitoring browsing activity, modifying visited web pages, redirecting to web pages, and constantly monitoring and exfiltrating information entered into web forms, Joan Calvet, a malware researcher with ESET, told SCMagazine.com in a Wednesday email correspondence.

Aibatook was first identified in late 2013, but the operators updated the malware in April for use specifically against two major Japanese banks, and more broadly against other Japanese companies, in a campaign only targeting users of Internet Explorer, according to a Wednesday post.

“Internet Explorer is the most used browser in Japan,” Calvet said, adding the attackers likely have no need to extend their browser coverage. Furthermore, in order to steal information from victims, an Internet Explorer manipulation technique is used, the post explains.

Aibatook is programmed to specifically target visitors to the Japan Post and SBI Sumishin Net Bank websites – it uses more general form grabbing techniques to steal data when visiting other Japanese company websites – but that may not always be the case, Calvet said.

“It could easily be retargeted against U.S. banks by using the configurable information stealer implemented in Aibatook, allowing its authors to add any webpage's input fields to make it a target,” Calvet said.

Although others are believed to exist, ESET researchers identified four Japanese adult websites – sokuhabo.net, uravidata.com, ppv.xxxurabi.com, and mywife.cc – that could redirect users to a page that exploits Java vulnerability CVE-2013-2465 to distribute the malware, the post indicates.

Why only use a single exploit to infect users?

“The exploitation success ratio is probably high enough for the Aibatook's operators,” Calvet said, adding this appears to be the early stages of the operation. “Using a more powerful exploit pack and targeting other web browsers would be the next logical step for the operators in order to increase the number of potential victims.”

ESET researchers in the post stated that it is unclear exactly how the Japanese adult websites are being compromised in the first place, but Calvet suggested that the attackers – who ESET believes to be from Japan – might have used Aibatook to steal webmaster passwords.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

TorrentLocker developers patch error

Victims had been able to restore encrypted files without paying a ransom.

Home Depot: breach risks 56M payment cards, 'unique' malware used

Home Depot confirmed that approximately 56 million payment cards may have been compromised as result of a malware attack.

Gartner: 75 percent of mobile apps will fail security tests through end of 2015

Gartner: 75 percent of mobile apps will fail ...

As BYOD and mobile computing become more critical to business, app downloads will raise security risks.