Attackers behind the pervasive banking Trojan Ursnif have made Japan one of their top targets, delivering the malware via spam campaigns that began last month.
For years, Ursnif (or Gozi) has targeted Japan along with North America, Europe and Australia. But according to a recent IBM X-Force analysis of the malware, hackers have stepped up Ursnif campaigns in Japan that include new targets and evasion techniques.
“The Ursnif banking Trojan was the most active malware code in the financial sector in 2016 and has maintained its dominance through 2017 to date,” according a X-Force report released Thursday. “But one of its most popular targets in 2017 has been Japanese banks, where Ursnif’s operators were very active in late Q3 2017, starting in September.”
Recent samples indicate criminal groups are no longer just targeting banks and banking credentials. “In addition to banks, the active Ursnif variant in Japan also targets user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites,” wrote Limor Kessem, executive security advisor for IBM and author of the report.
Ursnif is a widespread threat that was discovered in 2007. Original targets were online banking wire systems in English-speaking countries. That changed in 2010, when source code for the Trojan was accidentally leaked. That lead to the development of Ursnif v2 that adopted web-injection techniques and leverages a hidden virtual network computing (Hvnc) feature.
Toward the end of 2010, the original Ursnif targeted primarily banks in Europe, the U.K. and the United States. Fast forward to 2017, Ursnif now targets banks in Bulgaria, Poland, Spain and the Czech Republic, in addition to its targets in North America, Australia and Japan, according to X-Force.
The most recent version of Ursnif is capable of a number of malicious activities including; script-based browser manipulation, web injections, man-in-the-browser functionality, form grabbing, screen capture, session video grabbing and hidden VNC and SOCKS proxy attacks.
In terms of its delivery methods, Ursnif has used malspam and exploit kits.
In its recent campaigns in Japan, Ursnif has been using malspam. That has included emails with fake attachments pretending to be from financial services and payment card providers in Japan. Another malspam variant delivers an HTML link that triggers a download of a .zip file containing a JavaScript. The script launches a PowerShell script that fetches the Ursnif payload.
Keeping in line with Ursnif’s anti-detection mechanisms, the most recent variant examined by X-Force uses a “macro evasion technique that launches PowerShell only after the user closes the malicious file,” describes Kessem. “This method helps the malware evade sandbox detection,” she said.
Other evasion techniques used by Ursnif have included using the Tor network to hide command-and-control communications. In July, Forcepoint detected another anti-sandboxing technique used by Ursnif that red-flagged mouse movements that indicated a research environment. If a sandbox environment was detected, the booby-trapped attachments wouldn’t deliver their payloads.
Why target Japan? “The history of organized cybercrime in Japan is not very long,” explains Kessem. “In most cases of malware migration, cybercriminal groups with adequate resources are looking for easier money, less security and an element of surprise for users who are less accustomed to their spam ploys and social engineering during the banking session.”