Attackers behind the pervasive banking Trojan Ursnif have made Japan one of their top targets, delivering the malware via spam campaigns that began last month.
For years, Ursnif (or Gozi) has targeted Japan along with North America, Europe and Australia. But according to a recent IBM X-Force analysis of the malware, hackers have stepped up Ursnif campaigns in Japan that include new targets and evasion techniques.
“The Ursnif banking Trojan was the most active malware code in the financial sector in 2016 and has maintained its dominance through 2017 to date,” according a X-Force report released Thursday. “But one of its most popular targets in 2017 has been Japanese banks, where Ursnif’s operators were very active in late Q3 2017, starting in September.”
Recent samples indicate criminal groups are no longer just targeting banks and banking credentials. “In addition to banks, the active Ursnif variant in Japan also targets user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites,” wrote Limor Kessem, executive security advisor for IBM and author of the report.
Ursnif is a widespread threat that was discovered in 2007. Original targets were online banking wire systems in English-speaking countries. That changed in 2010, when source code for the Trojan was accidentally leaked. That lead to the development of Ursnif v2 that adopted web-injection techniques and leverages a hidden virtual network computing (Hvnc) feature.