Euro Security Watch with Mathew J. Schwartz

Anti-Malware , Fraud , Technology

Banking Malware: Big in Japan Fraudsters Wield Shifu, Rovnix and UrlZone Malware Against Japanese Targets
Banking Malware: Big in Japan

Can't tell your Hiragana from your Kanji characters? Then you face a similar challenge to other non-native writers of Japanese: It's not an easy language to master.

See Also: 2016 State of Threat Intelligence Study

The same goes for legions of non-Japanese-speaking cybercriminals, who historically have favored targets in North America and Europe over potential malware victims in Japan, despite the country commanding one of the world's largest economies and featuring a mature banking sector.

"When it comes to banking malware, it seems Japan has hit the big time." 

"While fraudsters were easily able to translate texts into English, even if imperfect or lacking, the same task was trickier when it came to Japanese," IBM security researcher Limor Kessem says in a Feb. 1 blog post. "Another aspect that kept most cybercriminal factions out of Japan is the likely lack of a local infrastructure for Web fraud, which would require money mule recruitment in Japanese and local rogues to help criminals understand the banking and payment systems."

But that's now changing: In recent months, Japanese users have been targeted by new, localized versions of Shifu, Rovnix and UrlZone malware (see Targeted Attacks: How Ready is Japan?).

Follows Ransomware Campaign

To be clear, Japan has never been immune from banking Trojans or ransomware attacks.

In September 2015, for example, security firm Trend Micro warned that the Neutrino - a.k.a. Kasidet - crimeware toolkit, which has long been sold to cybercriminals for launching or reselling distributed denial-of-service attacks attacks, had been upgraded to also target POS devices in Japan (see Malware Warning: Banks, Customers, ATMs Under Fire). Neutrino competes with the notorious Angler exploit kit.

In fact, the next month, researchers from Cisco's Talos security intelligence and research group disrupted an Angler campaign that had been serving ransomware, and which primarily targeted Japanese users. Cisco said the campaign accounted for about half of all Angler traffic and generated an estimated $34 million annually for the gang behind those attacks (see Angler Ransomware Campaign Disrupted).

Shifu Upgrade Eyes Japan

But IBM's Kessem says Japan-targeting cybercrime took a big leap forward when Japanese-speaking criminals adapted the Shifu malware to target not just multiple electronic banking platforms throughout Europe, but also Japanese financial firms. The malware is designed not just to ransack infected PCs for online banking credentials, but also POS configuration information and cryptocurrency wallets (see Sophisticated Carbanak Banking Malware Returns, With Upgrades).

The Shifu upgrade, first detailed by IBM in September 2015, included Web injections customized for Japanese banks. Attackers create these Web injections for every bank they want to target. The functionality allows them to alter the appearance of a user's online banking account, for example, to hide the fact that attackers are transferring funds out of the account in real time while a user is logged in.

The Shifu development team apparently took the time and effort required to develop these customizations, Kessem says, and they're now available for other cybercrime gangs to adapt or purchase (see How Do We Catch Cybercrime Kingpins?). In fact, such collaboration - or stealing - is the cybercrime norm, she says, noting that Shifu used Web injections developed by the Neverquest - a.k.a. Vawtrak, Snifula - malware development team; the Dridex banking malware has adapted Shifu's techniques for targeting U.K. victims; and when the Rovnix banking malware began targeting Japanese banks in December 2015, it seemed to be using Web injections that were borrowed or bought from Shifu.

UrlZone Enters the Game

Now, the cybercrime gang behind the banking Trojan UrlZone - a.k.a. Bebloh, Shiotob - appears to have made its Japanese debut. The malware was first spotted in 2009 attacking German banks - stealing $500,000 in less than a month - but entered a period of relative dormancy from 2013 until July 2015, Kessem says. In December 2015, however, the malware began targeting Spanish banking customers, and in January, Japanese banking customers, who now comprise 74 percent of its target list. IBM declined to comment on which Japanese banks - or how many exactly - are being targeted by UrlZone.

Historically, UrlZone would relay both real and bogus account information between infected endpoints and command-and-control servers to try to confuse security researchers, banks and law enforcement agencies. More recently, however, IBM says UrlZone has added encrypted Web injection configuration files, as well as encrypted C&C communications. Meanwhile, the malware uses standard Web injection customizations that enable attackers to socially engineer targets into entering sensitive information and which can also hide actual account balances while attackers drain the account.

When it comes to banking malware, it seems Japan has hit the big time.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network