Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Attack Combines Phishing, Steganography, PowerShell to Deliver Malware

URLZone Morphs Into a Downloader for Ursnif

Researchers have discovered a malware campaign targeting Japan and combining phishing, steganography, PowerShell, and the URLZone and Ursnif malwares.

URLZone Morphs Into a Downloader for Ursnif

Researchers have discovered a malware campaign targeting Japan and combining phishing, steganography, PowerShell, and the URLZone and Ursnif malwares.

The basic process described in a new report from Cybereason is a malspam campaign with a weaponized Excel document containing a PowerShell script that downloads steganographic images. The script extracts further Base64 and AES-encrypted and compressed PowerShell code from the images. This code subsequently downloads a stripped-down version of URLZone which is then used as a downloader for the Ursnif banking trojan.

The key elements of the campaign are that it is finely targeted against Japanese users, and that URLZone has been repurposed as an evasive downloader. The combination of PowerShell and steganography to deliver URLZone is an evasive technique to avoid detection.

The targeting comes first via the malspam campaign, and secondly through a series of location checks by the malware. The initial excel file uses a VBA macro to check the machine’s country setting. If it is not ‘Japan’, the application closes; otherwise it proceeds. This script downloads, extracts and decodes more PowerShell code via a 600×600 pixel image. The extracted code then retrieves the initial payload, again steganographically hidden. The payload is extracted and decrypted — and at this point a further geographic/language check is made. It uses the function (&Get-Culture).LCID to access the machine’s language identifier and uses it as part of the decryption routine.

The initial payload is basically URLZone. URLZone, aka Bebloh and Shiotab, is a banking trojan that first appeared in 2009. It uses man-in-the-browser techniques and Windows API call-hooking to steal banking information. Its use against Japanese targets is not uncommon.

In this instance, however, it has been repurposed from a banking trojan into a downloader. More specifically, say the researchers, “the banking trojan capabilities were effectively stripped from this variant. In this variant, URLZone is used solely as a downloader for additional malware.”

It seeks to evade detection and analysis through a series of anti-analysis checks. It checks the CPU brand, and if it is ‘Xeon’, the malware exits. It checks for Sandboxie, VirtualBox, and VMware. It performs an anti-debugging check and checks for the strings, ‘sample’, ‘virus’, and ‘sandbox’ in the process path. Finally, it creates a mutex with a string based on the name and install date of the machine, and if the mutex already exists, the malware terminates.

If all is well, URLZone launches explorer.exe and injects into it. (If this fails for any reason, it launches iexplorer.exe and injects there.) It initializes explorer.exe in suspended mode, creates a memory-mapped section, and writes itself to it. It writes shellcode to the memory of the suspended explorer.exe, which loads the portable executable written to the memory-mapped section of explorer.exe.

This version of URLZone is a downloader. It checks connectivity with Google and attempts to connect to a hardcoded C2 server. If this connection fails, if the server is off-line or has been taken down, it uses a DGA to find an alternative C2 (the DGA uses the previous domain as the seed for the newly generated domain name).

The C2 returns a list of addresses to URLZone, from which it downloads additional malware, writes it to a randomly named folder within the temp folder, and executes it. In this campaign, the final downloaded malware detected by Cybereason was the Ursnif banking trojan. New versions of Ursnif have been common since the source code was leaked in 2015, and Cybereason reported on an earlier Ursnif campaign, also targeting Japan, in March 2019. “The new variant,” say the researchers, “features a stealthy persistence mechanism, revamped information-stealing modules focusing on mail clients and cryptocurrency, and targets Japanese security products.”

Related: Ursnif Trojan Uses Fileless Persistence and CAB for Stealthily Data Exfiltration 

Related: Ursnif Trojan Uses New Malicious Macro Tactics 

Related: Kronos Banking Trojan Has Returned 

Related: Ursnif Banking Trojan Gets Mouse-Based Anti-Sandboxing 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.