Best Security Search
Trojans

Binary Options Virus Infection Campaign Revealed

Malware researchers detected a new aggressive virus campaign known as Binary Options which distributes various malware to the targets.

Binary Options Virus Campaign Revealed

Security specialists detected a new attack campaign that delivers various all sorts of malware. It is characterized by a low profile and the use of heavy IP address filtering, a tactic often used when the criminals employ an advanced infiltration strategy. The researchers who discovered the campaign have named it “Binary Options” as they use a fraudulent trading company front to hide their tracks. This is a tactic that is similar to some of the exploit kits and gateways which hide behind scam sites. A famous example is the Magnitude kit which masks its sites as Bitcoin trading platforms and related establishments.

The threat actors behind the Binary Options campaigns use a web template developed by a legitimate company and have deployed them on malicious sites that appear as legitimate companies. The scammers have attempted to create clone sites that impersonate actual sites. This is done by creating exact copies of their design and similar addresses.

Binary Options Virus Campaign Deployment

An interesting characteristic of the Binary Options attack campaign is that they are meant to be seen if the targets are not infected by the viruses. The infections are done when the hacker-controlled site forwards the victims to a second site without showing them any content. This second gateway is located on various domains which are rotated according to their availability. It is possible that they registered on a scripted basis. The infection route is the following:

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

  1. When the users interact with the malicious site they come in contact with hacker-controlled ad networks. They redirect them to the second gateways.

  2. During the network communication the victim’s IP address is checked with a predefined list. If the check passes then the victims are redirected to another site.

  3. The infection follows through the RIG exploit kit.

  4. The final payload is a banking Trojan or a ransomware selected based on the geolocation of the victims.

The analyzed samples distribute the well-known banking Trojans – Dreambot, Gozi and Usrnif. They are able to inject code into the installed web browsers. We suspect that this feature is available for the most popular ones – Google Chrome, Microsoft Edge, Internet Explorer, Mozilla Firefox and Safari. The malware are able to carry out complex surveillanec of the victims by creating screenshots at will, record their computer use and redirect all network traffic.

The retrieved samples showcase that the various Trojans are compiled in a modular setup. Initial infection is done by a loader component which downloads the rest of the virus in an encrypted network stream from the remote server. During the firsts stages of deployment the virus engine checks if there are any running virtual machine instances. This is done to prevent debugging or analysis. Such advanced forms of stealth protection can also protect the virus from detection or removal without the use of a quality anti-spyware solution. The modules are injected into the explorer.exe system process and a network connection with a server on the TOR anonymous network is initiated.

Consequences Of The Binary Options Virus Campaign

Such virus attacks can deploy a wide variety of viruses. Some of the dangers associated with it include the following:

  • The hackers have used a clever decoy by stealing the design of a legitimate company and attempting to use the same strategy for drawing in users.

  • The analyzed campaign used the RIG exploit kit which is a highly modular framework. An experienced hacker can easily modify the kit and integrate additional modules and payloads.

  • The attackers use a wide range of secondary domains and hacker-controlled ad networks which make it hard to trace down the primary sources of infection.

  • The hackers at the moment distribute banking Trojans from a single family. Further customization to the campaign might deliver other viruses.

  • The banking Trojans are advanced virus forms that are able to hijack the installed web browsers. In most of the cases they manipulate the most commonly used applications – Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer and Safari. They are able to create overlays that steal inputted account credentials.

  • The surveillance options allow the hackers to initiate remote control and spying at will.

As always we highly recommend that all users use a quality anti-malware solution to protect themselves from possible intrusion attempts, as well as to remove active infections with a few mouse clicks.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.