2019-04-05 - QUICK POST: FAKE UPDATES CAMPAIGN PUSHES CHTHONIC BANKING TROJAN

FILES:

ANOTHER EXAMPLE OF THE FAKE UPDATES PAGE CAPTURED IN FIDDLER:

 

NOTE:  All zip archives and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

IMAGES


Shown above:  Example of fake Chrome update page when using the Chrome web browser.

 


Shown above:  Link from fake update page appears to retrieve info from original site that kicked off this infection chain.

 


Shown above:  Downloaded .js file.  The last six hexadecimal characters before .js in the file name are different for each download.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Artifacts from an infected Windows host.

 


Shown above:  Chthonic banking Trojan persistent on an infected Windows host.

 

Click here to return to the main page.