Banking Trojans: Ursnif Global Distribution Networks Identified

Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this


The infamous banking Trojan Ursnif (a.k.a Gozi) has been continuously used in attacks against Japan for more than a year. The main delivery technique used is spam email with a malicious attachment that downloads the Ursnif executable from a remote site.

The Tokyo Metropolitan Police Department and Japan Cybercrime Control Center have recently been issuing public warnings of these malicious email activities.  In our analysis we identified distribution networks that are used to target various countries, including Japan and several European nations, with banking Trojans. The network consists of two primary components: a spam botnet which delivers e-mails, and a set of compromised web servers.


  • The spam botnet focuses on delivering Banking Trojans or Downloader Trojans to Japan, Italy, Spain, Poland, Australia, and Germany.
  • Compromised web servers host Banking Trojans and spam bot files that are download by malicious downloader program distributed by spam.

Analysis of Ursnif infection vector in Japan

Using our threat intelligence platform AutoFocus, Palo Alto Networks observed millions of e-mails sent to Japanese targets throughout 2016. Most of the emails were written in Japanese (see example in Figure 1). The latest attachment we’ve seen, detected in January 2017, is a JavaScript downloader that simply downloads Ursnif from a remote site and executes it on compromised machine.


Figure 1 Japanese email with malicious attachment

Shiotob (a.k.a Bebloh or URLZone) was the most widely distributed threat in this attack campaign last year. We identified 75 unique Shiotob variants in 7 million spam emails. Interestingly, Shiotob itself can steal online bank credentials, but the adversary used it only for downloading main payloads at least since mid-2016. Figure 2 shows the infection steps.


Figure 2 Infection steps

  1. Victim receives the malicious e-mail and opens the attachment, infecting victim’s system with Shiotob.
  2. Shiotob starts communicating C2 server over HTTPS and receiving commands periodically.
  3. Shiotob installs additional threats (like Ursnif) based on the commands from the C2 server


Figure 3 Download commands from C2

Figure 3 is the example of commands from Shiotob C2 server. You can see the C2 provided three “>LD” commands in a session. This is the download command installing a remote file on the compromised systems. Two of them are same Ursnif binary from different locations. The other is notorious spam bot called Pushdo (a.k.a Cutwail or Pandex) on another server. Once infected, the threat sends spam emails based on commands from botnet master.

Spam Activity

Unit 42 observed millions of spam emails attacking Japanese recipients, some of whom could be running the banking Trojan and spam bot simultaneously. Though it is difficult to know the exact numbers of infections by the email campaign, we know the number is significant considering an increase in Japan-based IP addresses as a source of emails with malicious attachment (Figure 4). We consider this a result of increasing spam bot infections by this attacker.


Figure 4 Increasing emails with malicious attachment from Japan

To understand the spam bot network activity, we randomly extracted 200 unique Japanese IP addresses that were spamming Shiotob and investigated what was sent by email. They belong to the email campaign and may have been transmitting something malicious in addition to Shiotob. The result was that the IPs sent 250 unique malware samples among 268,000 emails in 2016 (Figure 5).


Figure 5 Malware sent by 200 Japanese IP addresses

Most of the malware files are classified as either Banking Trojans or Downloader Trojans. Also, some downloaders were installing Banking Trojans listed above. The botnet apparently focused on delivering Banking Trojans through spam.

Based on our telemetry, Italy, Japan, Spain, Poland and Germany were top target countries by the samples. The attackers customized the delivery e-mails depending on the target and used a localized email subject and body to lure people who speak the language. Some words and topics are frequently observed in their spam emails among all languages (Table 1).

Target Australia Italy Japan Spain Poland Germany
Banking Trojans Ursnif
Frequent word in Emails Photo Foto 写真 Foto Zdjęcie Foto
Order D’ordine 注文 Orden Oferta Bestellung
Invoice Fattura 請求 Factura Faktura Rechnung
Notification Notifica お知らせ Notificación Powiadomienie Versandbenachrichtigung
Delivery Recapito 配達 Entregar Dostawa

Table 1 Targets and Email characteristics

Malware hosting servers

Next, we started searching malware-hosting web servers accessing by the threat in spam. We soon realized the threat actor(s) make their infrastructure redundant by copying threat files on multiple servers. For example, they put a malicious file on both server A and B, and another file on server B and C (Figure 4).


Figure 6 Malware redundancy

By following the link to servers and malicious files, we found more than 200 malicious files on 74 servers that have been used since April 2015 to January 2017 by the threat actor(s). Most of them were compromised personal or small-to-medium-sized business websites located in  Europe. They host outdated contents and owners seem to have not maintained the servers for years. Figure 7 shows the geographic locations of the web servers.


Figure 7 Geographical location of the web servers

Figure 8 shows the breakdown of malware found on the web servers and where the malware downloaded from based on our telemetry (Table 2). The results correspond to the analysis of targets and malware by SPAM in the previous section.


Figure 8 Malware on Web Servers

Malware Downloading countries
Ursnif Japan, Italy, Spain
KINS Italy
Rovnix Japan
Shiotob Australia,
Zeus Italy
Pushdo Japan, Italy

Table 2 Malware family found on Web servers

A full graph of relations between servers and malicious files is below (Figure 9).


Figure 9 Relations between servers and malicious files


The actors deploying these banking Trojans use a spam bot network and compromised web servers. It is still unclear whether a single group attacks multiple countries with various threats by using the infrastructures, or if numerous threat actors share them.


Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this