Incident Response, Malware, TDR

Compromised Japanese porn websites distribute banking trojan

Attackers have compromised popular Japanese adult websites in order to distribute a trojan that is primarily targeting customers of two major banks in the country; however, the malware could easily be repurposed for use in the U.S., according to researchers with ESET.

The Aibatook trojan is capable of constantly monitoring browsing activity, modifying visited web pages, redirecting to web pages, and constantly monitoring and exfiltrating information entered into web forms, Joan Calvet, a malware researcher with ESET, told SCMagazine.com in a Wednesday email correspondence.

Aibatook was first identified in late 2013, but the operators updated the malware in April for use specifically against two major Japanese banks, and more broadly against other Japanese companies, in a campaign only targeting users of Internet Explorer, according to a Wednesday post.

“Internet Explorer is the most used browser in Japan,” Calvet said, adding the attackers likely have no need to extend their browser coverage. Furthermore, in order to steal information from victims, an Internet Explorer manipulation technique is used, the post explains.

Aibatook is programmed to specifically target visitors to the Japan Post and SBI Sumishin Net Bank websites – it uses more general form grabbing techniques to steal data when visiting other Japanese company websites – but that may not always be the case, Calvet said.

“It could easily be retargeted against U.S. banks by using the configurable information stealer implemented in Aibatook, allowing its authors to add any webpage's input fields to make it a target,” Calvet said.

Although others are believed to exist, ESET researchers identified four Japanese adult websites – sokuhabo.net, uravidata.com, ppv.xxxurabi.com, and mywife.cc – that could redirect users to a page that exploits Java vulnerability CVE-2013-2465 to distribute the malware, the post indicates.

Why only use a single exploit to infect users?

“The exploitation success ratio is probably high enough for the Aibatook's operators,” Calvet said, adding this appears to be the early stages of the operation. “Using a more powerful exploit pack and targeting other web browsers would be the next logical step for the operators in order to increase the number of potential victims.”

ESET researchers in the post stated that it is unclear exactly how the Japanese adult websites are being compromised in the first place, but Calvet suggested that the attackers – who ESET believes to be from Japan – might have used Aibatook to steal webmaster passwords.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.