Threat Management, Malware, Phishing

Land of the rising trojan: Ursnif banking malware surges in Japan


Malspam campaigns designed to spread the Ursnif banking trojan have been heavily targeting Japanese banks and payment card providers in 2017, especially since September, according to IBM's X-Force research team.

This attacks has been leveraging Ursnif, also known as Gozi, to steal data from secure sessions, perform web injections and execute page redirections, reports Limor Kessem, IBM cybersecurity expert, in a company blog post on Thursday. The malware targets not only banking credentials, but also local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites, the report continues.

Because the targets in each successive attack have been the same, IBM posits that one threat actor is responsible for all of the spam campaigns, most of which infect victims with fake attachments designed to impersonate Japanese financial services and payment card providers.

"In other malspam versions, users receive an HTML link that leads to an archive (.zip) file containing JavaScript, which launches a PowerShell script that fetches the payload from a remote server and infects the user with Ursnif," Kessem writes. "The payload appears to be served from web resources the attackers registered to serve the malicious code, not from hijacked domains."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.