After a good two to three years of relative silence, the gang behind the banking Trojan URLZone has become more active over the past few months and taken aim at banks across Europe and beginning last month, Japan.
Attackers have begun sending spam emails with poisoned attachments to customers at 14 different Japanese banks, according to Limor Kessem, a cybersecurity evangelist with IBM who wrote about the malware’s latest moves on Monday.
“The malware itself is considered sophisticated and complex, but the current target list and webinjection set appear basic and may have been developed or bought from a specialized black-hat vendor,” Kessem wrote.
The malware can be especially stealthy. After making off with a victim’s money, in some instances, URLZone hides the transaction line with HTML injections, making it appear like no money was taken.
To hide mule account lists, the malware has also been known to send back unrelated bank account numbers from its command and control server to further confound researchers and banks.
According to Kessem, the malware uses the following features to defraud banking customers:
- Customer credentials theft;
- Screenshot grabber;
- Webinjections for social engineering and hiding account balances;
- Use of a transaction orchestration panel;
- Use of a domain generation algorithm (DGA) as a fallback for the botnet’s communications;
- Encrypted C&C communications;
- Encrypted webinjection configuration file; and
- Elaborate security and research evasion features.
IBM points out that while URLZone was basically silent from 2013 to 2015, last August a new version of the malware surfaced. This version was notable not just because it had an upgraded evasion techniques but because it came retrofitted with files designed to target banking customers in the U.K., Italy, Poland, and Croatia. In December of last year, attackers began using the malware to hit banks in Spain. While they’re still doing so, it’s to a lesser extent than the attacks on Japan, researchers claim.
URLZone is the latest of three groups to narrow their sights on Japanese banks over the last year. A group used the more sophisticated Shifu Trojan to hit 14 banks in August while another group was found distributing the Rovnix Trojan via malicious .zip attachments in emails, in early December.
Unlike those Trojans, URLZone has been around in some iteration or another since 2009.
In one campaign from the malware’s early days, a gang combined URLZone with the LuckySploit exploit toolkit and made off with 300,000 Euro from German bank customers over the course of a few weeks.
It was around the same time that attackers with the gang began generating phony mule account data to throw researchers off their scent.
Researchers believe Shifu and Rovnix may have paved the way for URLZone’s resurgence. Each infected victims via email spam, suggesting the gangs are likely sharing mule accounts and other resources, or buying tools from one another, or the same vendor.
“Since the URLZone group is coming into Japan after other gangs have already set up shop in the country, it is very likely they would be able to rely on mule accounts and trusted rogue agents to work with locally.”