Banking & Finance October 26, 2017
By Limor Kessem 5 min read

According to IBM X-Force data on the activity of financial malware operated by organized cybercrime groups, the Ursnif (aka Gozi) banking Trojan was the most active malware code in the financial sector in 2016 and has maintained its dominance through 2017 to date.

Ursnif’s activity is marked by both frequent code modifications and campaign activity in North America, Europe and Australia. But one of its most popular targets in 2017 has been Japanese banks, where Ursnif’s operators were very active in late Q3 2017, starting in September. The threat actors continue to spam users in the region regularly as we move into Q4.

Read the white paper: How digital banking is transforming fraud detection

Ursnif’s Focus on Japanese Targets

In terms of targets, Ursnif malware configurations can be a mixed bag at times, but those targeting Japan are specific to banks and payment card providers in the country. That list of targets remained unchanged through the different campaigns, suggesting that the same actors are likely behind it.

In addition to banks, the active Ursnif variant in Japan also targets user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.

In terms of the attack tactics employed against Japanese users, X-Force analysis points to data grabbing from secure sessions, webinjection attacks and, in some cases, page redirections. Previous tactics, such as video grabbing, are not presently featured, which could suggest that the actors are local or quite familiar with the banking systems in Japan.

The delivery method of Ursnif payloads in Japan has been rather consistent throughout the campaigns observed this summer, featuring fake attachments purporting to come from financial services and payment card providers in Japan.

Figure 1: Email with malicious attachment carrying Ursnif payload (Source: IBM X-Force)

In other malspam versions, users receive an HTML link that leads to an archive (.zip) file containing JavaScript, which launches a PowerShell script that fetches the payload from a remote server and infects the user with Ursnif. The payload appears to be served from web resources the attackers registered to serve the malicious code, not from hijacked domains.

Figure 2: Email with malicious link leading to Ursnif payload (Source: IBM X-Force)

Recent Ursnif malspam campaigns used a macro evasion technique that launches PowerShell only after the user closes the malicious file. This method helps the malware evade sandbox detection.

X-Force data revealed that campaign email spikes take place in cyclical weekly rounds, usually peaking on Tuesday evenings. Attempted infections peak on Thursdays and Fridays and are relatively low during the weekend and early weekdays.

Ursnif’s operators do not exclusively use malspam. In other regions where they target banks, such as the U.K., they work with the RIG exploit kit to infect users via malvertising campaigns.

Why Japan?

Why do organized crime groups spread to new geographies? In most cases of malware migration, cybercriminal groups with adequate resources are looking for easier money, less security and an element of surprise for users who are less accustomed to their spam ploys and social engineering during the banking session.

The history of organized cybercrime in Japan is not very long. The past five years featured more generic malware and local attackers using proxy changers more than anything else. The situation took a turn for the worse in the summer of 2015, when the Shifu Trojan emerged and made Japan one of its top targets.

Shifu’s activity in Japan died out slowly and eventually faded in 2017, but it was one of the pivotal organized cybercrime groups that opened the floodgates to other cybercrime actors such as URLZone, Rovnix and a step-up in Ursnif attacks. Shifu did that by setting up the spamming and social engineering foundations for other malware that came after it, often copying its tools and likely collaborating with the same local groups.

So why have other organized groups such as Dridex and TrickBot, both of which target banks in as many as 40 countries, largely stayed away from Japan? The answer could lie in the connections other gangs have with local cybercrime and money-laundering groups. Even on the internet, gangs often stick to their own turf.

About Ursnif

When Ursnif was discovered in 2007, it was operated by an exclusive group of threat actors to perpetrate online banking wire fraud in English-speaking countries. In 2010, one of the developers working on an upgrade to Ursnif v2 accidentally leaked the code, which was repurposed by other fraudsters to create banking Trojans such as Vawtrak and Neverquest.

Toward the end of 2010, the original Ursnif v2 began using webinjection techniques against banks in Europe, the U.K. and the U.S. The malware operators added a master boot record (MBR) rootkit in mid-2013 to create high persistency through the computer’s MBR.

Ursnif v2’s online fraud capabilities are enabled through:

  • Script-based browser manipulation;
  • Webinjections and man-in-the-browser (MitB) functionality;
  • Form grabbing;
  • Screen capture and session video grabbing; and
  • Hidden VNC and SOCKS proxy attacks.

Ursnif v2 leverages the hVNC feature, which can essentially be activated at the attacker’s discretion. X-Force researchers analyzed Ursnif’s VNC module to uncover its architecture and inner workings.

Another known Ursnif module is the use of Tor to route the malware’s communications through an anonymized service. In one notable case, Ursnif was linked with another banking Trojan when its fraud module was built into the GozNym hybrid, which IBM X-Force Research discovered in April 2016.

GozNym’s code is made of the Nymaim malware embedded with the Gozi financial fraud module, effectively creating a two-headed beast that was believed to be operated by an organized cybergang. The arrest of one of its members led to GozNym’s demise in late 2016.

Global Perspective

The following chart lists the most prolific banking malware families in 2017 per attack volume.

Figure 3: Most prevalent financial malware families (Source: X-Force, October 2017 YTD)

After the decline of Neverquest activity in 2017, Ursnif climbed up to the third, then second rank globally. Ursnif’s prevalence is also connected with its widening geographical scope. In 2017, for example, the malware presented configurations targeting banks in Bulgaria, Poland, Spain and the Czech Republic, in addition to its targets in North America, Australia and Japan.

In terms of its development cycles, Ursnif was the most active malware project in 2016, topping other banking Trojans with the largest number of updates made to its loader and binary to evade security research and detection. It has kept its position so far in 2017.

IBM X-Force noted that Ursnif has been one of the most active banking Trojans in Japan over the past five years. Our researchers have also been tracking a third version of Ursnif targeting banks in Australia. Stay tuned for upcoming information.

Read the white paper: How digital banking is transforming fraud detection

 |  |  |  |  |  |  |  | 
Limor Kessem
Principal Consultant, X-Force Cyber Crisis Management, IBM

Limor Kessem is a Principal Consultant with X-Force’s Cyber Crisis Management, helping organizations prepare for and face crisis-level cyber-attacks. Previ...

More from Banking & Finance
Banking & Finance   February 7, 2023

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

Application Security   January 25, 2023

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Banking & Finance   December 9, 2022

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Banking & Finance   August 3, 2022

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature