Chthonic Zeus Malware Spread through ‘authentic’ PayPal emails

Hackers are now spreading lethal banking Trojan via the PayPal money request tool.

Chthonic Zeus Malware Spread through ‘authentic’ PayPal emailsThese hackers are spreading the deadly Banking Trojan called Chthonic Zeus through PayPal emails that seem authentic, Proofpoint, a security firm reported. According to the company, the emails are legitimate as they do not trigger any antimalware warnings because they come through PayPal from email accounts that appear authentic.

“The sender seems legit,” Proofpoint said. “The spammers are registering with PayPal or stealing PayPal accounts and then using the ‘money request’ feature to spread the Trojan,” the advisory continued to explain. Proofpoint uncovered that the attackers exploit the feature that allows payment requesters to include notes when requesting money from another account holder.

Proofpoint was able to isolate one such email. Gmail did not automatically spam the email, as it does emails that contain malware because the email seemed to be authentic. “PayPal’s Payment request tool allows requesters to send brief notes along with the payment request message. The attacker included a note that contained a malicious URL,” stated the URL.

The payment request is a double edged sword. If the addressee of the infected email opens the URL, his computer gets infected with a malicious banking Trojan. If he does not confirm the legitimacy of the payment request, he loses whatever amount of money is the email hacker asked. Also, there is the possibility the recipient does both; he opens the URL and sends the amount requested.

If the addressee of the email opens the URL, they are redirected to another website, not PayPal. The website downloads a mysterious JavaScript file named paypalTransactionDetails.jpeg.js. Once the victim opens the JavaScript file, the executable malware installs in his system. The executable malware, in this case, is the Chthonic malware, which is a variant of the banking Trojan called Zeus.

Surprisingly, Chthonic may download a secondary payload called AZORult. AZORult is an undocumented malware that Proofpoint is currently analysing.

Fortunately, there are very few reports of the spread of the malware using this method. Proofpoint thinks that the limited spread is due to the need of opening a PayPal account or finding an impaired PayPal account.

As of now, PayPal has not said anything about Proofpoint’s findings.