Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Attack Combines Phishing, Steganography, PowerShell to Deliver Malware

URLZone Morphs Into a Downloader for Ursnif

Researchers have discovered a malware campaign targeting Japan and combining phishing, steganography, PowerShell, and the URLZone and Ursnif malwares.

URLZone Morphs Into a Downloader for Ursnif

Researchers have discovered a malware campaign targeting Japan and combining phishing, steganography, PowerShell, and the URLZone and Ursnif malwares.

The basic process described in a new report from Cybereason is a malspam campaign with a weaponized Excel document containing a PowerShell script that downloads steganographic images. The script extracts further Base64 and AES-encrypted and compressed PowerShell code from the images. This code subsequently downloads a stripped-down version of URLZone which is then used as a downloader for the Ursnif banking trojan.

The key elements of the campaign are that it is finely targeted against Japanese users, and that URLZone has been repurposed as an evasive downloader. The combination of PowerShell and steganography to deliver URLZone is an evasive technique to avoid detection.

The targeting comes first via the malspam campaign, and secondly through a series of location checks by the malware. The initial excel file uses a VBA macro to check the machine’s country setting. If it is not ‘Japan’, the application closes; otherwise it proceeds. This script downloads, extracts and decodes more PowerShell code via a 600×600 pixel image. The extracted code then retrieves the initial payload, again steganographically hidden. The payload is extracted and decrypted — and at this point a further geographic/language check is made. It uses the function (&Get-Culture).LCID to access the machine’s language identifier and uses it as part of the decryption routine.

The initial payload is basically URLZone. URLZone, aka Bebloh and Shiotab, is a banking trojan that first appeared in 2009. It uses man-in-the-browser techniques and Windows API call-hooking to steal banking information. Its use against Japanese targets is not uncommon.

In this instance, however, it has been repurposed from a banking trojan into a downloader. More specifically, say the researchers, “the banking trojan capabilities were effectively stripped from this variant. In this variant, URLZone is used solely as a downloader for additional malware.”

It seeks to evade detection and analysis through a series of anti-analysis checks. It checks the CPU brand, and if it is ‘Xeon’, the malware exits. It checks for Sandboxie, VirtualBox, and VMware. It performs an anti-debugging check and checks for the strings, ‘sample’, ‘virus’, and ‘sandbox’ in the process path. Finally, it creates a mutex with a string based on the name and install date of the machine, and if the mutex already exists, the malware terminates.

If all is well, URLZone launches explorer.exe and injects into it. (If this fails for any reason, it launches iexplorer.exe and injects there.) It initializes explorer.exe in suspended mode, creates a memory-mapped section, and writes itself to it. It writes shellcode to the memory of the suspended explorer.exe, which loads the portable executable written to the memory-mapped section of explorer.exe.

This version of URLZone is a downloader. It checks connectivity with Google and attempts to connect to a hardcoded C2 server. If this connection fails, if the server is off-line or has been taken down, it uses a DGA to find an alternative C2 (the DGA uses the previous domain as the seed for the newly generated domain name).

The C2 returns a list of addresses to URLZone, from which it downloads additional malware, writes it to a randomly named folder within the temp folder, and executes it. In this campaign, the final downloaded malware detected by Cybereason was the Ursnif banking trojan. New versions of Ursnif have been common since the source code was leaked in 2015, and Cybereason reported on an earlier Ursnif campaign, also targeting Japan, in March 2019. “The new variant,” say the researchers, “features a stealthy persistence mechanism, revamped information-stealing modules focusing on mail clients and cryptocurrency, and targets Japanese security products.”

Related: Ursnif Trojan Uses Fileless Persistence and CAB for Stealthily Data Exfiltration 

Related: Ursnif Trojan Uses New Malicious Macro Tactics 

Related: Kronos Banking Trojan Has Returned 

Related: Ursnif Banking Trojan Gets Mouse-Based Anti-Sandboxing 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.