Banking malware can be found in the strangest places, and a contender has been found in popular boxing website allboxing.ru. The site, which has more than three million visitors per month, was infected with code that redirected users to a third-party site containing an exploit and a Russian banking Trojan.

Discovered by Forcepoint Security Labs, the code was well hidden amidst the legitimate strings in the site by using the same formatting style. The author of the exploit also tried to work in a malicious script from their own site – but the injection fails if the user is browsing with Chrome or Opera. The redirected URL also uses a dash of social engineering – it includes the term “canvas” to lull suspicious boxing fans into thinking they’re headed for another site on the industry.

Sneakiest of all the author’s anti-detection methods, however, is code which analyses the user’s interaction with site and only attempts an attack if the threshold goes about 30 actions. This tactic, says Forcepoint, ensures that it doesn’t attempt to attack malware scanning and analysis programs that sweep the site for infection.

Once it’s sure the victim is human, the script attacks and downloads the Buhtrap Russian banking Trojan, a malware suite that has been active since around 2014 and managed to defraud $25.7 million in 2015. “Attackers are getting better at disguising the code they inject into compromised websites,” says Forcepoint Security Analyst Nicholas Griffin. “Websites with high volumes of traffic are a popular choice for attackers, and this is especially true if the bulk of the traffic is from a specific region of the world of interest to the attacker.”

Buhtrap, he adds, appears to be the criminal’s suite of choice following the arrest and takedown of those using the Lurk banking Trojan.

[do_widget id=text-34]

Avatar
by Alex Hamilton
Alex is Senior Reporter at IBS Intelligence, follow him on Twitter or contact him at: alexanderh@ibsintelligence.com
imp-loader
preloader