The infamous banking Trojan Ursnif (a.k.a Gozi) has been continuously used in attacks against Japan for more than a year. The main delivery technique used is spam email with a malicious attachment that downloads the Ursnif executable from a remote site.
The Tokyo Metropolitan Police Department and Japan Cybercrime Control Center have recently been issuing public warnings of these malicious email activities. In our analysis we identified distribution networks that are used to target various countries, including Japan and several European nations, with banking Trojans. The network consists of two primary components: a spam botnet which delivers e-mails, and a set of compromised web servers.
- The spam botnet focuses on delivering Banking Trojans or Downloader Trojans to Japan, Italy, Spain, Poland, Australia, and Germany.
- Compromised web servers host Banking Trojans and spam bot files that are download by malicious downloader program distributed by spam.
Analysis of Ursnif infection vector in Japan
Figure 1 Japanese email with malicious attachment
Shiotob (a.k.a Bebloh or URLZone) was the most widely distributed threat in this attack campaign last year. We identified 75 unique Shiotob variants in 7 million spam emails. Interestingly, Shiotob itself can steal online bank credentials, but the adversary used it only for downloading main payloads at least since mid-2016. Figure 2 shows the infection steps.
Figure 2 Infection steps
- Victim receives the malicious e-mail and opens the attachment, infecting victim’s system with Shiotob.
- Shiotob starts communicating C2 server over HTTPS and receiving commands periodically.
- Shiotob installs additional threats (like Ursnif) based on the commands from the C2 server
Figure 3 Download commands from C2
Figure 3 is the example of commands from Shiotob C2 server. You can see the C2 provided three “>LD” commands in a session. This is the download command installing a remote file on the compromised systems. Two of them are same Ursnif binary from different locations. The other is notorious spam bot called Pushdo (a.k.a Cutwail or Pandex) on another server. Once infected, the threat sends spam emails based on commands from botnet master.
Unit 42 observed millions of spam emails attacking Japanese recipients, some of whom could be running the banking Trojan and spam bot simultaneously. Though it is difficult to know the exact numbers of infections by the email campaign, we know the number is significant considering an increase in Japan-based IP addresses as a source of emails with malicious attachment (Figure 4). We consider this a result of increasing spam bot infections by this attacker.
Figure 4 Increasing emails with malicious attachment from Japan
To understand the spam bot network activity, we randomly extracted 200 unique Japanese IP addresses that were spamming Shiotob and investigated what was sent by email. They belong to the email campaign and may have been transmitting something malicious in addition to Shiotob. The result was that the IPs sent 250 unique malware samples among 268,000 emails in 2016 (Figure 5).
Figure 5 Malware sent by 200 Japanese IP addresses
Most of the malware files are classified as either Banking Trojans or Downloader Trojans. Also, some downloaders were installing Banking Trojans listed above. The botnet apparently focused on delivering Banking Trojans through spam.
Based on our telemetry, Italy, Japan, Spain, Poland and Germany were top target countries by the samples. The attackers customized the delivery e-mails depending on the target and used a localized email subject and body to lure people who speak the language. Some words and topics are frequently observed in their spam emails among all languages (Table 1).
|Frequent word in Emails
Table 1 Targets and Email characteristics
Malware hosting servers
Next, we started searching malware-hosting web servers accessing by the threat in spam. We soon realized the threat actor(s) make their infrastructure redundant by copying threat files on multiple servers. For example, they put a malicious file on both server A and B, and another file on server B and C (Figure 4).
Figure 6 Malware redundancy
By following the link to servers and malicious files, we found more than 200 malicious files on 74 servers that have been used since April 2015 to January 2017 by the threat actor(s). Most of them were compromised personal or small-to-medium-sized business websites located in Europe. They host outdated contents and owners seem to have not maintained the servers for years. Figure 7 shows the geographic locations of the web servers.
Figure 7 Geographical location of the web servers
Figure 8 shows the breakdown of malware found on the web servers and where the malware downloaded from based on our telemetry (Table 2). The results correspond to the analysis of targets and malware by SPAM in the previous section.
Figure 8 Malware on Web Servers
||Japan, Italy, Spain
Table 2 Malware family found on Web servers
A full graph of relations between servers and malicious files is below (Figure 9).
Figure 9 Relations between servers and malicious files
The actors deploying these banking Trojans use a spam bot network and compromised web servers. It is still unclear whether a single group attacks multiple countries with various threats by using the infrastructures, or if numerous threat actors share them.