Chthonic trojan on the rise!

  • December 26, 2014
  • 3 min read

There is a new malware that is targeting online banking website and targeting individuals called Trojan-Banker.Win32.Chthonic, or ‘Chthonic’ for short. Chthonic uses botnet and web injection attacks targeting unsuspecting users and computers. It steals peoples sensitive information such as social security information, bank account numbers and can even steal the information that comes in from the webcam or microphone on workstations. Countries that have largest pool of infection include, the United Kingdom, the United States, Germany and Russia.

Is it the return of ZeuS?

Chthonic has a strong resemblance to another older malware version that was spreading this past February called ZeuS and ZeuS V2. Much like ZeuS, Chthonic use web injection attacks. Web injection attacks happen when an attacker alters the appearance of the web browser. For example, an unsuspecting user who browse to their online bank will be asked to enter their username and password. The attacker in this case would add an extra field as part of the login process like adding a drivers license number, an identification number or even their mothers maiden name as another input field – something that is totally unique to the person and can be used to aide in stealing their identity. The extra input field looks authentic and an unsuspecting user would not know if the web page was altered by the attacker or not. The user would then enter those extra credentials in the input field and the attacker would receive the critical information from the Chthonic malware once the user submitted to log in.

Security researchers believe that there a few organizations that may be using the Chthonic malware because of its encryption type. For example, the old ZeuS malware that was released earlier this year, used an AES or an RC4 symmetrical encryption type. Symmetrical encryption means that only one person has the key and is not known by anyone else. Think of it as keeping all your important stuff locked in the safe – only you have the key to open it. The encryption was used to keep the malware safe from being exposed or being reversed engineered. So why would someone use two methods of keeping the malware safe? This is the reason why some researchers believe that the trojan was used by different hacker groups – because of the different encryption types.

How it infects!

Chthonic installation occurs in two ways: by spear-phishing and or by downloading another malware that is posing as legitimate software. The spear-phishing method is where the hacker uses an enticing email that asks the user to click on a certain hyperlink or download and open the attached file. For the email attachment, the user would be asked to open .DOC file. Inside the document, there is a a RTF code (Rich Text Format) that is executed and then installed by the computer. Once this occurs, the computer is now infected with the malware and becomes apart of the botnet. A botnet is a group of computers infected with a type of malware that are used to communicate and work with each other. The botnet can also records keystrokes, video and audio files from the webcam, steal password files and any other input information. It can also monitor your internet activity. Microsoft released a patch for RTF vulnerability shortly after ZeuS malware discovery.

So what can you do to prevent your computer being infected?

  1. Do not open any attachments that appear spam or you are uncertain of.
  2. Ensure that your Microsoft workstations are patched regularly.
  3. If a banking site asks for other credentials that were never used before, you may want to call the bank to confirm that this is a new requirement.


Have a nice (malware-free) day!

What to read next

Reader Comments