Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Banking Trojan “URLZone” Targets Japan

Another banking Trojan that is known to be active in Europe has been seen targeting Japan, FireEye reported on Tuesday.

Another banking Trojan that is known to be active in Europe has been seen targeting Japan, FireEye reported on Tuesday.

Earlier this month, IBM researchers warned that cybercriminals had started using the Rovnix financial malware, which had been active in Europe, to target the customers of Japanese banks. Now, FireEye says URLZone, also known as Shiotob and Bebloh, has also started making rounds in Japan.

URLZone, which has been around since 2009, has been very active in Europe, particularly in Germany and Spain. However, in mid-December, FireEye spotted a new version of the malware being delivered to Japanese users via a spam campaign.

In July 2015, Arbor Networks reported that the authors of URLZone had made some changes to the Trojan’s command and control (C&C) communications. FireEye has now found a variant that leverages new persistence and evasion techniques.

The spam campaign used to deliver the malware in Japan involves emails with subject lines written in Japanese and English, and short sentences in Japanese for the body of the message.

The emails, most of which come from addresses on the softbank.jp and yahoo.co.jp domains, carry a ZIP archive designed to look like it contains image or document files. In reality, the archive contains a sample of the malware, which uses a technique known as process hollowing or process replacement to inject itself into the explorer.exe or iexplorer.exe processes in the initial infection stage.

Once it infects a machine, URLZone collects information on the system and sends it back to its C&C server. The threat attempts to reach its C&C at a domain that is hardcoded into the malware’s body, but if that fails, it makes use of a domain generation algorithm (DGA) to contact the server. When the C&C is reached, the Trojan downloads a configuration file containing the details of the targeted financial institutions.

The threat steals email addresses stored in the Windows Address Book. More sensitive information, such as web, email and FTP credentials, are stolen by injecting malicious code into processes associated with various applications, including Web browsers, FTP clients, and file explorers.

Advertisement. Scroll to continue reading.

URLZone clears its registry configuration when the victim logs off, reboots or shuts down the computer in order to remain persistent and evade detection. The malware does this by using window procedures, functions that process messages sent or posted to a window. The malware uses a window procedure to monitor messages for WM_QUERYENDSESSION, a message sent when the user ends a session or a system shutdown function is initiated.

In order to prevent the Trojan from running in a virtual environment, which usually happens when security experts are conducting an analysis, URLZone authors designed the threat to terminate if certain strings that indicate the presence of a virtual machine are detected.

The first URLZone campaign was detected in Japan in December 16, but FireEye also spotted larger spam runs on January 19 and 20, which suggests the operation is ongoing.

In addition to URLZone and Rovnix, security firms reported seeing Brolux, Neverquest, Tsukuba, and Shifu financial malware campaigns targeting Japan.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.