Connect with us

Hi, what are you looking for?


Malware & Threats

Banking Trojan “URLZone” Targets Japan

Another banking Trojan that is known to be active in Europe has been seen targeting Japan, FireEye reported on Tuesday.

Another banking Trojan that is known to be active in Europe has been seen targeting Japan, FireEye reported on Tuesday.

Earlier this month, IBM researchers warned that cybercriminals had started using the Rovnix financial malware, which had been active in Europe, to target the customers of Japanese banks. Now, FireEye says URLZone, also known as Shiotob and Bebloh, has also started making rounds in Japan.

URLZone, which has been around since 2009, has been very active in Europe, particularly in Germany and Spain. However, in mid-December, FireEye spotted a new version of the malware being delivered to Japanese users via a spam campaign.

In July 2015, Arbor Networks reported that the authors of URLZone had made some changes to the Trojan’s command and control (C&C) communications. FireEye has now found a variant that leverages new persistence and evasion techniques.

The spam campaign used to deliver the malware in Japan involves emails with subject lines written in Japanese and English, and short sentences in Japanese for the body of the message.

The emails, most of which come from addresses on the and domains, carry a ZIP archive designed to look like it contains image or document files. In reality, the archive contains a sample of the malware, which uses a technique known as process hollowing or process replacement to inject itself into the explorer.exe or iexplorer.exe processes in the initial infection stage.

Once it infects a machine, URLZone collects information on the system and sends it back to its C&C server. The threat attempts to reach its C&C at a domain that is hardcoded into the malware’s body, but if that fails, it makes use of a domain generation algorithm (DGA) to contact the server. When the C&C is reached, the Trojan downloads a configuration file containing the details of the targeted financial institutions.

The threat steals email addresses stored in the Windows Address Book. More sensitive information, such as web, email and FTP credentials, are stolen by injecting malicious code into processes associated with various applications, including Web browsers, FTP clients, and file explorers.

Advertisement. Scroll to continue reading.

URLZone clears its registry configuration when the victim logs off, reboots or shuts down the computer in order to remain persistent and evade detection. The malware does this by using window procedures, functions that process messages sent or posted to a window. The malware uses a window procedure to monitor messages for WM_QUERYENDSESSION, a message sent when the user ends a session or a system shutdown function is initiated.

In order to prevent the Trojan from running in a virtual environment, which usually happens when security experts are conducting an analysis, URLZone authors designed the threat to terminate if certain strings that indicate the presence of a virtual machine are detected.

The first URLZone campaign was detected in Japan in December 16, but FireEye also spotted larger spam runs on January 19 and 20, which suggests the operation is ongoing.

In addition to URLZone and Rovnix, security firms reported seeing Brolux, Neverquest, Tsukuba, and Shifu financial malware campaigns targeting Japan.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.