Open Hunting - Threat Library

Openhunting Threat Library

Cinobi

(Type: Banking trojan, Backdoor, Info stealer)

(Trend Micro) The Cinobi banking trojan is split into four stages, with each stage downloading additional components and possibly performing environment or anti-virtual machine (VM) checks. There are two command-and-control (C&C) servers, with one of them returning stages 2 to 4, while the other one returns the configuration files.

[News Analysis] Trends:

Total Trend: 4

Trend Per Year

2019

2020

2021

Trend Per Month

Dec 2019

Mar 2020

Aug 2021

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising

2021-08-09 by Jaromír Hořejší from Trend Micro

Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan: Technical Brief

2020-03-11 by Jaromír Hořejší from Trend Micro

Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan

2020-03-11 by Jaromír Hořejší from Trend Micro

Unpacking Payload used in Bottle EK

2019-12-24 by c0d3inj3cT from pwncode.io blog

Basic Information (Credit @etda.or.th)

Tool: Cinobi

Names: Cinobi

Description: (Trend Micro) The Cinobi banking trojan is split into four stages, with each stage downloading additional components and possibly performing environment or anti-virtual machine (VM) checks. There are two command-and-control (C&C) servers, with one of them returning stages 2 to 4, while the other one returns the configuration files.

Category: Malware

Type: Banking trojan, Backdoor, Info stealer

Information: https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html

Information: https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf

Information: https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/

Information: http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi

Last-card-change: 2021-12-28

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

Indicators of Compromise (Credit @ThreatFox)

SHA256_HASH

364da9b873e03c1f298a771cbc3b431504b1ecbf7d78119f700ee8b181ecae30
3f8253a142d5d8ed4cac3e55ed999ada6397913cf49e64708cbcc1e24635ee32

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact