14 DAY TRIAL // The latest malvertising campaign for Japan can deploy a banking Trojan on infected Windows computers and hence, steal credentials related to crypto-currency accounts.
Analysts at Trend Micro Joseph Chen and Jaromir Horejsi claimed in an investigation published last week that the operation was due to a threat actor they named Water Kappa. The cybercriminal is attacking Japanese online banking customers using the Cinema Trojan by exploiting various tricks and vulnerabilities. The malware appears to be very active lately and even rolled out a few other versions with small differences on the web.
The latest infection routine from Water Kappa is triggered by malware ads for Japanese animated porn games, bonus points apps, or video streaming services, with the target pages asking the victim to download the application. The malware is a ZIP file that mostly contains files from an older 2018 version of the Logitech Capture application along with other modified files that are used to decrypt the victim's data. What's new to the Trojan strain is that it is selecting users of web browsers other than Internet Explorer, as it used to do in the previous versions.
The malware was created specifically for Japan
The malware is designed not only to prevent non-Japanese IP addresses from accessing the malicious advertisement pages but also to steal the credentials of 11 Japanese financial institutions, three of which are active in bitcoin trading. When a user visits one of the attacked sites, the Cinobi form module is triggered, allowing the information entered in the login screens to be captured and stored in the database.
The researcher concluded that the recent malvertising campaign shows that Water Kappa remains active and is constantly evolving its tools and tactics for more financial gain. To reduce the likelihood of infection, users should watch out for strange advertisements on dubious websites and download programs only from reputable sources if possible.