We recently discovered a new campaign that we dubbed “Operation Overtrap” for the numerous ways it can infect or trap victims with its payload. The campaign mainly targets online users of various Japanese banks by stealing their banking credentials using a three-pronged attack. Based on our telemetry, Operation Overtrap has been active since April 2019 and has been solely targeting online banking users located in Japan. Our analysis found that this campaign uses three different attack vectors to steal its victims’ banking credentials:

By sending spam emails with a phishing link to a page disguised as a banking website

By sending spam emails asking victims to run a disguised malware’s executable downloaded from a linked phishing page.

By using a custom exploit kit to deliver malware via malvertising

Figure 1. Operation Overtrap three-pronged attack flow

This blog will discuss how we discovered the campaign and introduce the brand-new banking trojan Cinobi. Meanwhile, a detailed look at the different attack vectors associated with this campaign, and a more in-depth analysis of dropped configuration files as well as Cinobi's features, are discussed in our technical brief.

Technical Analysis

Discovering Operation Overtrap

We first discovered the campaign in September 2019 using a then-unidentified exploit kit. Based on our data, Operation Overtrap has been using spam emails to deliver its payload to victims as early as April 2019.

In mid-September, we observed a significant number of victims being redirected to the exploit kit, which targeted Internet Explorer, after they have clicked on links from social media platforms. It should be noted, however, that the way the victims received the links has not been identified. It is also worth mentioning that Operation Overtrap only seems to target Japanese online banking users; it redirects victims with other geolocations to a fake online shop.

Upon analysis, we saw that the exploit kit only dropped a clean binary that does not perform malicious activities on a victim’s device. It also immediately closes after infection. It is still unclear why the threat actors behind Operation Overtrap initially delivered a clean binary file; it’s possible that they were testing their custom exploit kit during this stage of the campaign’s development.

Figure 2. A screengrab that shows exploit kit network traffic in September 2019

Figure 3. A screengrab that shows a clean file dropped by Operation Overtrap’s exploit kit

Operation Overtrap’s Custom Exploit Kit: Bottle Exploit Kit

On September 29, 2019, we observed that the exploit kit ceased to drop a clean file, and instead, delivered a brand-new banking trojan that we dubbed “Cinobi.” We also noted that the threat actors behind Operation Overtrap have stopped redirecting victims from social media and began to use a Japan-targeted malvertising campaign to push their custom exploit kit.

Another researcher later discovered the custom exploit kit, which was named the Bottle Exploit Kit (BottleEK). It exploits CVE-2018-15982, a Flash Player use after free vulnerability, as well as CVE-2018-8174, a VBScript remote code execution vulnerability. Victims will be infected with BottleEK’s payload if they access this particular exploit kit’s landing page with unpatched or outdated browsers. Our telemetry shows that BottleEK was the most active exploit kit detected in Japan in February 2020.

Figure 4. Exploit kit activity observed in Japan on February 2020 (Data obtained from Trend Micro Smart Protection Network™)

Brand-new banking malware: Cinobi

Operation Overtrap used a new banking malware we’ve decided to call Cinobi. Based on our analysis, Cinobi has two versions — the first one has a DLL library injection payload that compromises victims’ web browsers to perform form-grabbing.

This Cinobi version can also modify web traffic sent to and received from targeted websites. Our investigation found that all the websites that this campaign targeted were those of Japan-based banks.

Aside from form-grabbing, it also has a webinject function that allows cybercriminals to modify accessed webpages. The second version has all the capabilities of the first one plus the ability to communicate with a command-and-control (C&C) server over the Tor proxy.

Cinobi’s four stages of infection

Each of Cinobi’s four stages contains an encrypted position-independent shellcode that makes analysis slightly more complicated. Each stage is downloaded from a C&C server after certain conditions have been met.

First stage

The first stage of Cinobi’s infection chain, which has also been analyzed by another cybersecurity researcher, starts by calling the “GetUserDefaultUILanguages” function to check if the infected device’s local settings are set to Japanese.

Figure 5. Screengrab of Cinobi’s check to determine the device’s language settings using “GetUserDefaultUILanguages”

Cinobi will then download legitimate unzip.exe and Tor applications from the following locations:

ftp://ftp[.]cadwork.ch/DVD_V20/cadwork.dir/COM/unzip[.]exe

https://archive[.]torproject[.]org/tor-package-archive/torbrowser/8.0.8/tor-win32-0.3.5.8[.]zip

After extracting the Tor archive into the “\AppData\LocalLow\” directory, Cinobi will rename tor.exe to taskhost.exe and execute it. It will also run tor.exe with custom torrc file settings.

"C:\Users\<username>\AppData\LocalLow\<random_name>\Tor\taskhost.exe" –f

"C:\Users\<username>\AppData\LocalLow\<random_name>\torrc"

It will download the second stage of the malware payload from a .onion C&C address and save it in a randomly named .DLL file within the “\AppData\LocalLow\” folder. The filename of the first stage downloader is saved into a .JPG file with a random name.

Figure 6. Screengrab of the .JPG file that contains the filename of the first stage downloader

After this, Cinobi will run the second stage of its downloader on the victim’s machine.

Figure 7. Screengrab of code showing Cinobi running the second stage of its downloader on the victim’s machine

Second stage

Cinobi will connect to its C&C server to download and decrypt the file for the third stage of its infection chain. We observed that the filename of the third stage starts with the letter C, followed by random characters. Afterward, it will download and decrypt the file for the fourth stage, which has a filename that starts with the letter A, followed by random characters.

After these, Cinobi will download and decrypt a config file (<random_name>.txt) that contains a new C&C address.

Cinobi uses RC4 encryption with a hardcoded key.

Figure 8. Screengrab of code showing Cinobi’s decoded config file

Next, Cinobi will run the downloaded third stage infection file using the UAC bypass method via the CMSTPLUA COM interface.

Third stage

During the third infection stage, Cinobi will copy malware files from “\AppData\LocalLow\” to the “%PUBLIC%” folder. It will then install the fourth stage of the downloader (which was downloaded during the second stage) as Winsock Layered Service Provider (WSCInstallProviderAndChains).

Figure 9. Screengrab of code showing the installation of the infection’s fourth stage on the victim machine as “WSCInstallProviderAndChains”

Cinobi will then perform the following actions:

Change spooler service config to “SERVICE_AUTO_START”

Disable the following services: UsoSvc Wuauserv WaaSMedicSvc SecurityHealthService DisableAntiSpyware

Copy and extract Tor files to “%PUBLIC%” folder

Rename tor.exe to taskhost.exe

Create torrc in “%PUBLIC%” with the content “DataDirectory C:\Users\Public\<random_nam>\data\tor”

Create .JPG file with the original dropper name

Remove files from “\AppData\LocalLow\,” remove original dropper file

Fourth stage

Cinobi will call the WSCEnumProtocols function to retrieve information about available transport protocols. It will also call the WSCGetProviderPath function to retrieve the DLL path of the original transport provider. This function is called twice. The first call will return the malicious provider (as the fourth stage of the malware has already been installed during the third stage of infection). The second call will return the original transport provider (“%SystemRoot%\system32\mswsock.dll”) and resolve and call its WSPStartup function. Cinobi will then check the name of the process in which the malicious DLL provider gets injected. In practice, Cinobi should be injected into all processes that make network connections using Windows sockets.

Figure 10. Screengrab of processes where the malicious DLL provider has been injected

Best practices against spam and vulnerabilities

Operation Overtrap uses a variety of attack vectors to steal banking credentials. Users and organizations need to adopt best practices to protect their systems against messaging-related threats and avoid malicious advertisements. An example of a best practice is to have a central point for reporting suspicious emails. Organizations, through their IT teams, need to have a centralized information gathering system, and all employees must be aware of the reporting procedure for suspicious emails. Meanwhile, users can avoid malicious advertisements by avoiding clicking on suspicious links or pop-ups and updating software via official channels.

Organizations will benefit from regularly updating systems (or use virtual patching for legacy systems) to prevent attackers from taking advantage of security gaps. Additional security mechanisms like firewalls and intrusion detection and prevention systems will help thwart suspicious network activities such as data exfiltration or C&C communication.

Trend Micro Solutions

Organizations can consider Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free™ Business Security. Both solutions can protect users and businesses from threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs.

Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection that stops spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.

For defending against malvertising campaigns in general, users can employ Trend Micro™ Maximum Security, which protects consumers via a multi-layered defense that delivers highly effective and efficient protection against ever-evolving threats. Trend Micro™ Smart Protection Suites also protect businesses against these types of threats by providing threat protection techniques designed to eliminate security gaps across multiple users and endpoints.

You may read our in-depth analysis of Operation Overtrap in this technical brief, which also contains details about possible links to other phishing campaigns and the indicators of compromise.