Trojans targeting banks in South Korea have been using Pinterest as a Command and Control channel

Security researchers at Trend Micro Lab had found that some banking Trojans were specifically targeting South Korean banks.  Now it has been discovered that these banking trojans use Pinterest to communicate with command-and-control and also to redirect victims to spoofed sites containing malware payload.

Some of the banks that have fallen victim to these attacks are Hana Bank, Nonghyup Bank, the Industrial Bank of Korea (IBK), Shinhan Bank, Woori Bank, Kookmin Bank, and the Consumer Finance Service Center. Once a customer has been infected with malware and is redirected to a phishing site that looks like a legitimate banking website, the criminals are able to steal their banking credentials. However this is the first time that a Trojan has been found to use Pinterest to spread itself.


The trojan identified in this attack is dubbed as TSPY_BANKER.YYSI.  It is a part of  BANKER malware family and seems to have been developed to attack on South Korean banks.  It is being spread in South Korea with through compromised websites serving the malware, which then redirect their visitors to downloading the exploit kit. Once it infects a system, the Trojan monitors victims’ online activities and redirects them to a phishing website when they attempt to access the websites of certain financial institutions.

TSPY_BANKER.YYSI trojan is also targeting popular South Korean search engine visitors. When victims visit this search site, they are presented with a pop-up window containing links to the websites of banks monitored by the malware.

Trojans targeting banks in South Korea have been using Pinterest as a Command and Control channel

As said above, the TSPY_BANKER.YYSI banking trojan uses Pinterest in its command and control (C&C) routines. Instead of contacting a C&C server, the Trojan accesses comments posted on Pinterest. The comments given in the image above which are spoofed IP addresses, “104A149B245C120D.” When this spoofed IP address is decoded  by replacing letters with a dot and the resultant  IP address hosts the phishing page server. Trend Micros states that the trojan authors are using this tactics to avoid detection and hide the trojan.

Trend also found out that this particular trojan leveraged exploits for two patched Internet Explorer vulnerabilities, CVE-2013-2551 and CVE-2014-0322, to deliver the malware. The exploit code is heavily obfuscated, however Trend Micro researchers have concluded it to be similar to Sweet Orange, an exploit kit that has been used in several cyber crime campaigns.

Resource : TrendMicro Labs.