A recently discovered malvertising campaign called Binary Options is redirecting internet users to a fake trading company webpage, before infecting some of these victims with a banking trojan via the RIG exploit kit.
According to a blog post from Malwarebytes, the malware appears to be an "ISFB" variant, putting it in the same family as the trojans Dreambot and Gozi. (The post notes that the malware shares certain key Dreambot attributes described in a previous Proofpoint report.) It includes some anti-virtualization features, performs browser injections, captures screenshots and video, and communicates with its command-and-control server via Tor.
The malvertising attack chain is initiated when a user visits a site compromised with malicious ads. These ads redirect the user to the decoy website, which mimics the web template from a binary options trading company called Capital World Option. The adversary behind this scheme actually created multiple doppelganger sites, using a similar naming convention for each, Malwarebytes reported.
The fake site performs an IP check that filters out unwanted IP addresses. Users who are rejected are not infected, and simply remain on the decoy website. Those who are approved for targeting don't actually see the website content because they are immediately passed on to a second-stage server that performs additional IP address filtering. Users who successfully pass through this additional filter are then passed on to the RIG exploit kit, which delivers the trojan.
Popads and PlugRush were among the compromised advertising networks that were detected in Malwarebytes' telemetry.
"Banking Trojans have been a little bit forgotten about these days as they are overshadowed by ransomware," states the blot post, written by Jerome Segura, lead malware intelligence analyst at Malwarebytes. "However, they still represent a significant threat and actually do operate safely in the shadows, manipulating banking portals to perform wire transfers unbeknownst to their victims or even the banks they are targeting."