Japan has enjoyed some protection from most cybercrime for many years because of its linguistic specificity, but that defense appears to be waning: The third major malware campaign in four months has been uncovered, targeting that country’s banking infrastructure.
Just months after organized cybercrime groups mounted campaigns using the sophisticated Shifu Trojan and the Rovnix Trojan against Japanese financial institutions, a third well-known cybercrime group, the URLZone team, has moved to attack 14 major Japanese banks, according to IBM X-Force researchers.
In most cases of malware migration, cyber-criminal groups with adequate resources are looking for easier money, less security and an element of surprise.
“While fraudsters were easily able to translate texts into English, even if imperfect or lacking, the same task was trickier when it came to Japanese,” said IBM cybersecurity evangelist, Limor Kessem, in a blog. “Another aspect that kept most cyber-criminal factions out of Japan is the likely lack of a local infrastructure for Web fraud, which would require money mule recruitment in Japanese and local rogues to help criminals understand the banking and payment systems.”
But the grace period for the country has ended, with the entrance of organized crime groups that have deep pockets and a willingness to invest in building tools and a localized team for fraud in a unique language zone such as Japan. The upfront investment carries a big payoff, considering the element of surprise that they’ve been able to enjoy.
Plus, it’s a shared resource situation, which makes that upfront investment a reusable one. “IBM X-Force researchers noted that organized cybercrime gangs share resources and buy tools from one another or from the same black-hat vendors,” said Kessem. “Once Shifu’s group had the infection scheme set up to attack in Japanese, as well as web injections and localized knowledge about banks in the country, much of the work was already done for other gangs who could now invest in entering the new turf.”
In January 2016, the URLZone gang officially joined the roster of attackers targeting Japanese banks, using email spam containing a poisoned attachment. URLZone, a banking Trojan also known as Bebloh and Shiotob, was first detected in the wild in 2009 when it was attacking German banks.
“Right from the start, this banking Trojan was considered to be one of the most advanced due to special techniques to conceal malicious activity from both users and researchers,” Kessem said. “For example, after robbing accounts of almost their entire balance, URLZone uses HTML injections to replace the balance and hide the transaction line from the victim’s online banking account view.”
Moreover, to hide its mule account list from researchers, the malware would validate each infected machine to ensure it is indeed part of its botnet and only then provide a mule account for the illicit transactions it carries out. If the infected machines did not pass the test, URLZone’s command-and-control (C&C) server would send back unrelated bank account numbers to keep researchers and banks confused.
After being silent for most of 2015, the situation changed in August. IBM X-Force researchers discovered a new version upgrade for URLZone.
“Changes to the malware updated its evasion techniques to avoid research tools. The Trojan was also fitted with a new configuration file designed to target banking customers in the UK, Italy, Poland and Croatia,” Kessem said. “In December 2015 it began attacking banks in Spain, and in January 2016 it received an upgrade to target Japanese banks.”
In terms of URLZone’s ranking on the global malware list this year, IBM Security data showed that this malware has not yet cracked the top 10—but clearly the malware is positioned to change that.
“To help stop threats like URLZone, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints when malware migrates or finds new focus in the organization’s region,” Kessem said.
Photo © Perati Komson/Shutterstock.com