A newly discovered spam campaign powered by version two of the well-known Cutwail botnet has been found targeting Japanese users in an attempt to infect them with the URLZone (aka Bebloh) banking trojan.

In a company blog post yesterday, Crowdstrike researchers Sebastian Eschweiler, Brett Stone-Gross and Bex Hartley note that the operation leverages the art of stenography — the practice of concealing secret data inside larger files or images — in order to hide the payload.

The group behind the campaign, which Crowdstrike refers to as Narwhal Spider, commenced its latest activity on Oct. 24 in a spam operation featuring a malicious, macro-enabled Microsoft Excel attachment. Written in Japanese, typical subject lines in the spam emails included generic business jargon, including “Order Form,” “Submit application form,” and “We will send billing data.” The message body was either left blank or contained a brief statement referencing an order form that must be confirmed and thanking the recipient for their help.

If the prospective victim opens the document and enables macros, then an embedded Visual Basic Application code downloads second-stage code consisting of a Windows batch command and PowerShell command. The PowerShell command then downloads a PNG file, whose image contains hidden code within its blue and green channels. (The sample image shown in the Crowdstrike blog consists of a printer and piece of paper featuring the Android logo.)

The PowerShell command next decodes the hidden data to reveal another PowerShell script — a highly obfuscated one that checks infected machines’ geographic regional settings. It the affected device is determined to reside in Japan, then an HTTP GET request is issued, resulting in the URLZone payload.

But it doesn’t end there: Crowdstrike reports that URLZone then proceeds to contact the attackers’ C&C server to download yet another payload. It is not known at this time what this final payload is, but researchers suggest, based on past precedent, that it might be the Gozi ISFB banking trojan.

“Cutwail spam levels in the last three months have been significantly lower,” the blog post states. However, “The introduction of steganography may suggest that Narwahl Spider has been developing new, innovative methods to evade detection and improve infection rates.”