2019-04-05 - QUICK POST: FAKE UPDATES CAMPAIGN PUSHES CHTHONIC BANKING TROJAN

FILES:

• 2019-04-05-Fake-Updates-Campaign-pushes-Chthonic.pcap.zip   6.M kB (6,744,016 bytes)
• 2019-04-05-Fake-Updates-Campaign-malware-and-artifacts.zip   581 kB (581,404 bytes)
• 2019-04-05-Fake-Updates-Campaign-indicators.txt.zip   2 kB (1,968 bytes)

ANOTHER EXAMPLE OF THE FAKE UPDATES PAGE CAPTURED IN FIDDLER:

• 2019-04-05-fake-updates-campaign-from-www.med.ufro.cl.saz   3.6 MB (3,565,441 bytes)

 

NOTE:  All zip archives and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

IMAGES

Shown above:  Example of fake Chrome update page when using the Chrome web browser.

 

Shown above:  Link from fake update page appears to retrieve info from original site that kicked off this infection chain.

 

Shown above:  Downloaded .js file.  The last six hexadecimal characters before .js in the file name are different for each download.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Artifacts from an infected Windows host.

 

Shown above:  Chthonic banking Trojan persistent on an infected Windows host.

 

Click here to return to the main page.