Threat Management, Malware

Binary Options malvertising scheme delivers Gozi-like banking trojan

A recently discovered malvertising campaign called Binary Options is redirecting internet users to a fake trading company webpage, before infecting some of these victims with a banking trojan via the RIG exploit kit.

According to a blog post from Malwarebytes, the malware appears to be an "ISFB" variant, putting it in the same family as the trojans Dreambot and Gozi. (The post notes that the malware shares certain key Dreambot attributes described in a previous Proofpoint report.) It includes some anti-virtualization features, performs browser injections, captures screenshots and video, and communicates with its command-and-control server via Tor.

The malvertising attack chain is initiated when a user visits a site compromised with malicious ads. These ads redirect the user to the decoy website, which mimics the web template from a binary options trading company called Capital World Option. The adversary behind this scheme actually created multiple doppelganger sites, using a similar naming convention for each, Malwarebytes reported.

The fake site performs an IP check that filters out unwanted IP addresses. Users who are rejected are not infected, and simply remain on the decoy website. Those who are approved for targeting don't actually see the website content because they are immediately passed on to a second-stage server that performs additional IP address filtering. Users who successfully pass through this additional filter are then passed on to the RIG exploit kit, which delivers the trojan.

Popads and PlugRush were among the compromised advertising networks that were detected in Malwarebytes' telemetry.

"Banking Trojans have been a little bit forgotten about these days as they are overshadowed by ransomware," states the blot post, written by Jerome Segura, lead malware intelligence analyst at Malwarebytes. "However, they still represent a significant threat and actually do operate safely in the shadows, manipulating banking portals to perform wire transfers unbeknownst to their victims or even the banks they are targeting."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.