Legitimate emails sent from PayPal's official email address included links that redirected users to a website that distributed Chthonic, a newer variant of the infamous Zeus banking trojan.

At the source of this problem is a PayPal feature that allows users to request money from other people.

The requester could fill a form, enter another user's PayPal email address, the sum they wanted to be transferred, and a custom message.

All emails looked legitimate. They are legitimate.

PayPal then took all this data and sent it to the person from whom the money was requested. The problem here is that all these emails came from PayPal's official email address, and users would have had a hard time detecting anything wrong.

Crooks leveraged the latter custom field in the money request form to enter custom text that also included a Goo.gl short URL. This short link resolved to a website that automatically downloaded the paypalTransactionDetails.jpeg.js file on the user's computer.

If a user ran this JavaScript file, the malicious code would download and install a flash.exe binary that would infect their computer with the Chthonic trojan.

At a later stage, Proofpoint researchers also noticed that Chthonic would download another module called AZORult. At this time, there are no details on what this module does, and Proofpoint researchers are still investigating its code.

Campaign had a low volume

The good news is that, according to Google's statistics, the malicious URL has been accessed only 27 times.

Researchers aren't sure if the crooks behind this campaign hacked into legitimate PayPal accounts, or they created new ones from scratch.

"We are not sure how much of this process was automated and how much manual, but the email volume was low," Proofpoint says, adding that "the technique is both interesting and troubling."