2019-04-05 - QUICK POST: FAKE UPDATES CAMPAIGN PUSHES CHTHONIC BANKING TROJAN
FILES:
- 2019-04-05-Fake-Updates-Campaign-pushes-Chthonic.pcap.zip 6.M kB (6,744,016 bytes)
- 2019-04-05-Fake-Updates-Campaign-malware-and-artifacts.zip 581 kB (581,404 bytes)
- 2019-04-05-Fake-Updates-Campaign-indicators.txt.zip 2 kB (1,968 bytes)
ANOTHER EXAMPLE OF THE FAKE UPDATES PAGE CAPTURED IN FIDDLER:
- 2019-04-05-fake-updates-campaign-from-www.med.ufro.cl.saz 3.6 MB (3,565,441 bytes)
NOTE: All zip archives and saz files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
IMAGES
Shown above: Example of fake Chrome update page when using the Chrome web browser.
Shown above: Link from fake update page appears to retrieve info from original site that kicked off this infection chain.
Shown above: Downloaded .js file. The last six hexadecimal characters before .js in the file name are different for each download.
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Artifacts from an infected Windows host.
Shown above: Chthonic banking Trojan persistent on an infected Windows host.
Click here to return to the main page.