TruShield is now Avertium! To learn more and see what's new, visit

Chthonic Banking Trojan

Email Us- 877.583.2841 -Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

[gravityform id="8" title="false" description="false" ajax="true"]

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

Chthonic Banking Trojan

This is a security alert for all TruShield clients, the financial services industry, and the community as a whole. We have learned of a new variant of the Zeus Trojan called Chthonic Banking. This Trojan uses PayPal as a technique to spread.


About Chthonic Banking Trojan

Chthonic was discovered by Proofpoint analysts. This Trojan uses email to spread and the emails used are from legitimate services like PayPal. The malicious actors send an email to the intended victim. As an example, one email was observed closely by Proofpoint analysts. The subject of the email contained the phrase “You’ve got a money request” and appeared to have come from PayPal. According to Proofpoint, the senders of the emails are not spoofed and are legitimate or stolen PayPal accounts. The malicious actors use their account to request money

The problem is that because this email is sent from a legitimate service, and is a legitimate account, it is not being blocked, due to its non-malicious intent. Within the body of the email that was sent a malicious URL is inserted into the notes section of the PayPal money request page. The malicious actors use social engineering tactics to get their victims to click on the malicious link that they included within the specially crafted message. Of course, if any person were to receive such an email, they would hopefully raise concerns due to a lack of memory about the money owed or from wanting to find out more about this request they received. So, the likelihood of users clicking on the malicious link is very high because it deals with money, and most individuals do have different financial accounts connected to their PayPal account.


Once the malicious link is clicked the users are taken to a different website that downloads an obfuscated JavaScript file. If the user decides to open the file, then an executable containing the Chthonic Trojan and a second payload AZORult is downloaded. This particular campaign bypasses security measures put in place because of the legitimate use of non-malicious services like PayPal.


Indicators of Compromise


URL in the email message:
URL after the redirect (hosting the js):
SHA256 paypalTransactionDetails.jpeg.js:
URL JavaScript payload flash.exe:
Domain Chthonic C&C:
URL Chthonic 2nd Stage hosting:
SHA256 Chthonic 2nd Stage (AZORult):




  • Avoid clicking on links in an email. Type the website address directly into the search bar to navigate to a particular business page.
  • Consider using open source analysis tools to analyze URLs within an email.



Zeus continues to evolve and remains a prominent Trojan in the banking malware family. Its campaign uses social engineering tactics through legitimate services to scare its victims into downloading this malicious new variant of the Trojan Chthonic. This raises concerns about the fact that this maybe the new path that other malicious campaigns may take to avoid being detected by other antiviruses.




Download the PDF Version

Leave a reply

Copyright © 2018