New Trojans targeting banks in South Korea have been using Pinterest as a Command and Control channel
Last summer Trend Micro observed online banking Trojans that were targeting South Korean banks. Now, compromised sites that contain exploit kits are delivering banking Trojans to site visitors. Some of the banks being targeted include Hana Bank, Nonghyup Bank, the Industrial Bank of Korea (IBK), Shinhan Bank, Woori Bank, Kookmin Bank, and the Consumer Finance Service Center. Once a customer has been infected with Malware: A generic term for a software that is designed to disable or otherwise damage computers, networks and computer systems LookingGlass Cyber (n) - another type of cold that can destroy a computer by latching on to destroy other programs. and is redirected to a Phishing: The use of emails that appear to be from a legitimate, trusted source that are enticed to trick recipients into entering valid credentials including personal information such as passwords or credit card numbers into a fake platform or service. LookingGlass Cyber (n) - tailoring an attack (such as email) to garner trust and credentials that are then used maliciously. The preverbal digital version of the ol' hook and bait. site that looks like a legitimate banking website, the criminals are able to steal their credentials.
One interesting characteristic of this particular Trojan is that it is using Pinterest as its command-and-control server to redirect users to various spoofed banking sites:
Photo courtesy of Trend Micro
These comments show that when the letters are replaced with dots, the code becomes an IP address for the phishing page server host.
To demonstrate how the Cyveillance Cyber Threat Center can be used to add context to data points found with traditional anti-virus and anti-malware services, we entered one of the IP addresses, 184.108.40.206, into our geolocation tool and found the following:
- The IP Range 70.39.104.* is being run out of Cleveland, Ohio by an ISP
- Most of the Domain: A specified location where a set of activity or knowledge exists. For instance, an Internet domain is synonymous with a website address or URL where information can be made available. LookingGlass Cyber (n) - A fancy name for a URL or website. names in this range contain Chinese content
- At least two instances of malware can be located on a website hosted in this range
With this added context, a security team could be confident in blacklisting this IP address and possibly the entire range because it has a recent history of hosting malware, and seemingly does not contain any websites that an employee of a U.S.-based company would need to access for normal business activities. Additional investigations into owners of IP ranges and domain names should be part of due diligence investigations before contracting with any ISP-related vendors.
It’s not surprising that criminals have figured out another way to use social media as an attack vector. It will be interesting to see if this type of malware spreads to other social networks, as well as how attacks are tailored to specific platforms.
Learn more about how to proactively monitor these types of threats with the Cyveillance Cyber Threat Center.