TechBizWebTechBizWeb

    Subscribe to Updates

    Get the latest news about Technology and Business from all around the web..

    What's Hot

    Amazon says it has ‘hundreds’ of Rivian electric vans making deliveries in the US

    November 7, 2022

    Ryanair swings to first-half profit and raises passenger forecast

    November 7, 2022

    Devialet brings its sci-fi design aesthetics to a $790 portable speaker

    November 7, 2022
    Facebook Twitter Instagram
    • About Us
    • Privacy Policy
    • Guest Post
    • Terms
    • Contact
    Facebook Twitter Instagram
    TechBizWebTechBizWeb
    Subscribe
    • Home
    • Technology

      Amazon says it has ‘hundreds’ of Rivian electric vans making deliveries in the US

      November 7, 2022

      Devialet brings its sci-fi design aesthetics to a $790 portable speaker

      November 7, 2022

      Elon Musk’s response to fake verified Elon Twitter accounts: a new permanent ban policy for impersonation

      November 7, 2022

      The iPhone 14 Pro and Pro Max will come with ‘longer wait times’ due to factory lockdown

      November 6, 2022

      Meta’s reportedly planning to lay off ‘thousands’ of workers this week

      November 6, 2022
    • Business
    • Cyber Security
      National Security News

      List of 620 Russian spies, featuring one alleged agent at the centre of one of the biggest personal scandals in Wall Street history.

      September 24, 2022

      Cybersecurity ranked most serious enterprise risk in 2022

      August 31, 2022

      Registration open for CISA virtual summit on K-12 school safety

      August 31, 2022

      What do the Trickbot leaks reveal about Russian cybercrime?

      August 31, 2022

      What cybersecurity measures do CISOs outsource?

      August 30, 2022
    • Blockchain
    • Vulnerabilities
    • Social Engineering
    • Malware
    • Cyber Security Alerts
    TechBizWebTechBizWeb
    Home»Cyber Security»New Variant of Ursnif Targeting Japan
    Cyber Security

    New Variant of Ursnif Targeting Japan

    March 13, 2019Updated:March 13, 2019No Comments5 Mins Read
    Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp
    Share
    Facebook Twitter LinkedIn Pinterest Email


    A new variant of the Ursnif trojan has been discovered targeting Japan since the beginning of 2019. Japan is a common target for Ursnif, but the latest version, delivered by Bebloh, goes to increased lengths to ensure that the victim is indeed Japanese.

    New variants of Ursnif are not uncommon since the source code was leaked in 2015, but this version also includes enhanced data theft modules for stealing data from mail clients and email credentials stored in browsers. Other new developments, according to Cybereason research, include a new stealthy persistence module, a cryptocurrency and disk encryption module, and an anti-PhishWall (a Japanese security product) module.

    The infection chain starts with delivering Bebloh via a weaponized Office document. If activated, a VBA macro in the document first conducts extensive location tests. These tests are expanded and modified over earlier versions, making them more difficult to interpret — but using a technique also seen in a campaign against Italian targets this year.

    If the target computer passes the location tests, a PowerShell payload is activated. This includes a final IP geolocation check. It then downloads Bebloh hidden steganographically in an image downloaded from an image sharing website such as imgur or postimage.cc. Bebloh is injected into explorer.exe and it downloads Ursnif’s loader from the C2 server.

    The Ursnif loader conducts further tests to ensure that the victim is a genuine user and not a disguised researcher. These include a Xeon CPU check, a virtualization vendor check, and a timing check to force a VM exit. If any of these checks prove positive, the loader displays an error message and terminates the process. But if all is well, Ursnif’s core DLL is injected into the main explorer.exe process.

    The payload seems to be Gozi ISFB v3. Its compilation date is February 22, 2019. However, Cybereason has found an earlier sample of the same variant timestamped July 2018, suggesting that the variant first emerged in 2018.

    Code analysis suggests that this version is related to the Dreambot variant of Ursnif, but with some features removed and others added. Gone, for example, are the Tor client and the VNC module. New or revamped features include a new last-minute persistence feature (resembling that used by Dridex); new data theft modules to steal from IE, Outlook and Thunderbird; a cryptocurrency and disk encryption software module; and an anti-PhishWall module.

    ‘Persistence’ is created at the last minute before system shutdown. When the system is rebooted, persistence is activated and Ursnif is re-run. Persistence is then deleted to lower the chance of detection, and only recreated when the system is shut down. 

    The new variant’s mail stealing functionality has been enhanced and expanded. For example, the Outlook stealer has been enhanced to locate Microsoft Outlookís .PST and .OST file extensions. A new module has been added to steal Thunderbird login credentials and the Thunderbird personal address book. A new Internet Explorer module will steal autocomplete typed URLs and data (including credentials, and the IE browsing history.

    It also adds functionality that seems to be designed to steal cryptocurrency from wallets, including the Electrum Bitcoin wallet, Bitcoin wallet, Multibit-hd, Bither Bitcoin wallet, mSigna Bitcoin wallet, Jaxx multi-currency digital wallet, and Bitcoin Armory wallet.

    This version of Ursnif also adds some anti-security product capabilities aimed at defeating PhishWall and Rapport. PhishWall is a popular Japanese anti-phishing and anti-banking trojan application, and anti-PhishWall modules have been used by other trojans in the past (such as Shifu and Bebloh). 

    The anti-Rapport module is designed to defeat IBM Trusteer’s Rapport product. This is not new, but not often seen in malware targeting Japan. The code seems to be based on — if not copy/pasted from — Carberp’s anti-Rapport code (which is freely available on GitHub). Cybereason notes that it has tested neither the PhishWall nor the Rapport module, so cannot attest to their efficiency.

    Cybereason is unsurprised by the new concentration on data stealing highlighted by the new version of Ursnif. “With more and more banking customers shifting to mobile banking and the continuous hardening of financial systems,” writes the researcher, “it is not surprising that trojans are beginning to focus more than ever before on harvesting non-financial data that can also be monetized and exploited by the threat actors.”

    But what stands out from this campaign, he adds, “is the great effort made by threat actors to target Japanese users. They use multiple checks to verify that the targeted users are Japanese, as opposed to other more prolific trojans and information stealers that cast a wider net when it comes to their victims.”

    Related: Ursnif Trojan Uses Fileless Persistence and CAB for Stealthily Data Exfiltration 

    Related: Banking Trojan “URLZone” Targets Japan 

    Related: Ursnif Trojan Uses New Malicious Macro Tactics 

    Related: Popular Banking Trojans Share Loaders

    Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

    Previous Columns by Kevin Townsend:
    Tags:



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    National Security News

    List of 620 Russian spies, featuring one alleged agent at the centre of one of the biggest personal scandals in Wall Street history.

    September 24, 2022 Cyber Security

    Cybersecurity ranked most serious enterprise risk in 2022

    August 31, 2022 Cyber Security

    Registration open for CISA virtual summit on K-12 school safety

    August 31, 2022 Cyber Security

    What do the Trickbot leaks reveal about Russian cybercrime?

    August 31, 2022 Cyber Security

    What cybersecurity measures do CISOs outsource?

    August 30, 2022 Cyber Security

    SIA announces Women in Security Forum scholarship recipients

    August 30, 2022 Cyber Security
    Editors Picks

    Ryanair swings to first-half profit and raises passenger forecast

    November 7, 2022

    Devialet brings its sci-fi design aesthetics to a $790 portable speaker

    November 7, 2022

    Google Cloud Says Running Validator on Solana Blockchain

    November 7, 2022

    European stocks rise as investors boosted by China speculation

    November 7, 2022
    Trending Now

    Evergrande creditors sell ‘Versailles mansion’ plot in Hong Kong

    By techbizweb

    OpenSea Creates Tool for NFT Creators to Enforce Royalties On-Chain

    By techbizweb

    FTSE chairs warn of declining relations with institutional investors

    By techbizweb

    https://www.nationalsportsacademy.com

    slot gacor hari ini

    http://www.inadesfo.org/

    http://www.eueomgbissau.org/

    http://www.congo-mai-mai.net/

    http://www.angelesdelafrontera.org/

    http://fifaworldcup2018schedule.com/

    http://tony4gtrmcr.co.uk/

    http://www.standrewsagreement.org/

    http://www.bob-russell.co.uk/

    http://davidmulholland.co.uk/

    http://railwayhotelenniskillen.com/

    http://www.fantasysportstrades.com/

    http://www.rainleaf-flooring.com

    http://mothersagainstguns.org/

    http://ma-coc.org/

    slot online

    http://www.paradoxmag.com/situs-judi-slot-online-gampang-menang-2021/

    http://www.paradoxmag.com/situs-judi-slot-online-terbaru-2021/

    http://slot-terbaru.net/

    Slot Gacor

    Slot Online

    Situs Slot Gacor

    http://www.appdexterity.com/

    https://cars4kids-deutschland.de/

    https://www.stretchingculture.com/

    https://www.b-123-hp.com/slot-gacor/

    https://denzstaffing.nl/

    https://ezbbqcooking.com/slot-gacor/

    https://www.mbahelp24.com/slot-gacor

    https://minhtanstore.com/slot-jackpot-terbesar/

    https://njbpusupplierdiversity.com/slot-gacor-gampang-menang/

    https://www.floridaspecialtycropfoundation.org/slot-gampang-menang/

    https://childrenscornerpreschool.org/slot-gacor-gampang-menang/

    https://cryptoquoter.com/slot-online-terbaik/

    https://alorkantho24.com/slot-gacor/

    https://ellas.xyz/slot-gacor/

    https://it.dougamatome.xyz/slot-online/

    https://www.daltercume.com/slot-gacor/

    https://josi-ana.dougamatome.xyz/slot88/

    https://josi-ana.dougamatome.xyz/slot-gacor/

    https://fastobserver.com/slot-jackpot-terbesar/

    https://www.planetexperts.com/slot-gacor/

    https://bfsolution.group/slot-bet-kecil/

    https://rustleva.co/slot/

    https://bfsolution.group/slot-bet-kecil/

    https://www.hotelcalimareal.com/togel-online/

    https://anime-game.dougamatome.xyz/slot-gacor-gampang-menang/

    https://anime-game.dougamatome.xyz/togel-online/

    https://bourbonbarrelfoods.com/slot/

    http://suneo39.wp.xdomain.jp/slot/

    https://techbizweb.com/slot-gacor/

    https://www.generalcatalyst.com/18-daftar-slot-gacor-terbaik-gampang-menang-jackpot-hari-ini/

    https://www.hotelcalimareal.com/slot-online/

    https://www.blockgates.io/slot-gacor/

    https://l12.com.br/slot-gacor/

    slot paling gacor

    https://www.donalds-hobby.com/slot-online/

    https://thecryptodirt.com/slot-gacor-hari-ini/

    http://iseta.edu.ar/aulavirtual/app/upload/users/1/1205/my_files/sbobet.html

    http://escuelavirtual.mincit.gov.co/app/upload/users/1/194/my_files/slot.html

    https://www.dev.medecinesfax.org/courses/JUDICASINO/document/slot.html

    http://www.e-archivos.org/cursos/courses/JUDICASINO/document/slot-gacor.html

    http://iesma.com.br/ead/main/upload/users/4/447/my_files/slot.html

    https://www.fundacoop.org/chamilo/app/upload/users/1/1185/my_files/slot.html

    https://fata-aatf.org/eskola/main/upload/users/3/31/my_files/slot.html

    https://uancv.edu.pe/ofinvestigacion/app/upload/users/3/328/my_files/slot-terlengkap.html

    https://micost.edu.my/EL/app/upload/users/2/209/my_files/slot-gacor.html

    https://www.academiacoderdojo.ro/elearningdev/app/upload/users/2/2442/my_files/slot-online.html

    http://campus-cidci.ulg.ac.be/courses/JUDICASINO/document/slot-termurah.html

    https://www.escueladerobotica.misiones.gob.ar/aula-ste/courses/LIVECASINO/document/slot-tergacor.html

    http://ccdipeepccqqfar.usac.edu.gt/chamilo/app/upload/users/3/358/my_files/slot-online.html

    https://cunori.edu.gt/campus/app/upload/users/7/7334/my_files/slot-online.html

    http://u-rus.com.ar/aula/app/upload/users/1/1322/my_files/slot.html

    http://icrodarisoveria.edu.it/chamilo/app/upload/users/1/1855/my_files/slot.html

    https://iestpliliagutierrez.edu.pe/clarolgm/courses/CASINO/document/slot.html

    http://pva.cobach.edu.mx/app/upload/users/7/7379/my_files/slot.html

    http://www.imb-pc-online.edu.gt/PL/app/upload/users/3/373/my_files/slot.html

    http://avcs.upeu.edu.pe/main/upload/users/3333/my_files/slot.html

    https://chamilo.fca.uas.edu.mx/app/upload/users/1/11186/my_files/slot-online/

    TechBizWeb
    Facebook Twitter Instagram Pinterest Vimeo YouTube
    • Home
    • Guest Post
    • About Us
    • Privacy Policy
    • Our Authors
    • Terms and Conditions
    • Contact
    © 2023 Tech Biz Web. Developed by Sawah Dev.

    Type above and press Enter to search. Press Esc to cancel.