A social engineering based malvertising campaign has been discovered targeting Japanese crypto users. The campaign spreads via malicious applications by taking advantage of sideloading vulnerabilities in them. The exploited vulnerabilities are being used to load and start the Cinobi banking trojan.

The new campaign from the Water Kappa actor is targeting Japanese users with malicious applications marketed as reward-points applications, free porn games, or video streaming applications. 

The side loading vulnerabilities CVE-2020-1380 and CVE-2021-26411 exist in Internet Explorer, which has been exploited to spread the Cinobi banking trojan.  Researchers have observed five different themes of malvertisements, all of which try to fool unsuspecting users into downloading the same malware.

The group is using Cinobi to steal the credentials of its victims’ cryptocurrency accounts.The overall functionality spotted in the new Cinobi sample is still the same as used during the previous attack by the same threat actor in March 2020.

The earlier campaign was named Operation Overtrap when Water Kappa was seen delivering Cinobi via spam. The trojan was spreading via a Bottle exploit kit abusing Internet Explorer exploits. From 2020 to H1 2021, limited activity from the Bottle exploit kit was observed with decreasing traffic in the middle of June. It is surmised that the threat actor was preparing for updated tools or techniques.

The recent campaign shows that Water Kappa is still active and is investing in updating its Cinobi malware to attack cryptocurrencies. It apparently decreased its activities to enhance its tools, indicating that this financially motivated actor has a planned strategy.