Ursnif Campaign Waves Breaking on Japanese Shores
According to IBM
X-Force data on the activity of financial malware operated by
organized cybercrime groups, the Ursnif (aka Gozi) banking Trojan was the most
active malware code in the financial sector in 2016 and has maintained its
dominance through 2017 to date.
Ursnif’s
activity is marked by both frequent code modifications and campaign activity in
North America, Europe and Australia. But one of its most popular targets in
2017 has been Japanese banks, where Ursnif’s operators were very active in late
Q3 2017, starting in September. The threat actors continue to spam users in the
region regularly as we move into Q4.
Ursnif’s Focus on Japanese Targets
In terms of targets, Ursnif malware configurations can be a
mixed bag at times, but those targeting Japan are specific to banks and payment
card providers in the country. That list of targets remained unchanged through
the different campaigns, suggesting that the same actors are likely behind it.
In addition to banks, the active Ursnif variant in Japan
also targets user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce
sites.
In terms of the attack tactics employed against Japanese
users, X-Force analysis points to data grabbing from secure sessions,
webinjection attacks and, in some cases, page redirections. Previous tactics,
such as video grabbing, are not presently featured, which could suggest that
the actors are local or quite familiar with the banking systems in Japan.
The delivery method of Ursnif payloads in Japan has been
rather consistent throughout the campaigns observed this summer,
featuring fake attachments purporting to come from financial
services and payment card providers in Japan.
Check out images and more content from this post here.
Comments
Post a Comment