Cinobi Banking Trojan Goes After Users in Japan

The Cinobi Banking Trojan made its first moves in 2020 when its operators went after users in Japan. Surprisingly, they severely limited the Trojan's reach by relying on a set of two exploits, which only worked on Microsoft Internet Explorer. However, it seems that the Cinobi Banking Trojan is back once again, and this time the group behind it appears to be exploring new techniques, tools, and exploits.

The recent campaign relies heavily on social engineering and malvertising to deliver the dangerous payload. Some of the fake content that the criminals use to spread the Cinobi Banking Trojan include free pornographic games, fake reward point programs, and apps related to video streaming. Naturally, the innovative infection vectors have rapidly increased the number of Cinobi Banking Trojan victims. Another change in this new operation is that they are not targeting just traditional financial institutions. This time, the criminals are using Cinobi to try and steal cryptocurrency accounts as well.

Cinobi Banking Trojan Sites Filter Non-Japanese IPs

It is important to add that the campaign once again targets Japanese users exclusively. All sites hosting the payload have had an IP filter set up. Because of it, non-Japanese IP addresses will see an error message if they click any of the malicious advertisements. Overall, the Cinobi Banking Trojan supports 11 Japanese financial institutions, three of which are also active in the cryptocurrency field.

Once a victim is infected, Cinobi will start working in the background to monitor the user's online activity. If it detects that the victim tries to access one of the online financial portals that the Trojan targets, then the payload will proceed to grab anything entered into the website's login form. The data is stored in a hidden folder, and it contains the website, date, username, password, session ID, and other information.

While most modern banking Trojans are targeting Android, we still encounter Windows-compatible threats like Cinobi. These attacks are very dangerous, because users might have no idea that their login credentials are being hijacked by cybercriminals. They will only notice that there is something wrong when the fraudulent transactions begin. You should take preventive measures to stop threats like the Cinobi Trojan from reaching your device. Use an up-to-date antivirus application, and also be careful when interacting with unknown sites and files. Never download apps and installers from non-trustworthy sources.

August 10, 2021