Threat Spotlight: URLZone Malware Campaigns Targeting Japan

The malware known as URLZone has plagued security professionals for nearly a decade, and now it is back for an encore performance in 2018. First detected as a banking Trojan in 2009, this malware has re-emerged in several recent threat campaigns.

URLZone underscores how many rudimentary malware infection strategies are as effective today as they were a decade ago. Victims of URLZone are first phished, then enticed to open an infected attachment which downloads the malware payload.

This particular Trojan leveraged a variety of malicious behaviors, from process-hollowing to downloading additional malware in the most recent series of attacks targeting Japanese companies.

URLZone Analyzed

URLZone remains a persistent threat to infrastructure almost a decade after its first appearance. Its long track record of success makes it a favored malicious code among threat actors. Cylance observed active distribution campaigns involving this malware between February and April of 2018. The vast majority of these URLZone attacks targeted Japan.

We analyzed URLZone samples discovered from February to April, as shown in Table 1:



Feb. 2018




Mar. 2018





Apr. 2018




Table 1: 10 URLZone samples detected during this campaign

Figure 1 below shows the number of companies where URLZone was found per day between Japan and non-JP regions. We observed a spike on March 15, with eight victim companies. As you can see, URLZone mainly attacks Japanese companies during this period:

Figure 1: Japan (JP) and non-JP URLZone detections, February-April 2018

URLZone relies on phishing emails and infected attachments to compromise a system. It uses macro code from corrupt MS Office documents to download and execute a malicious executable file, as shown in Figure 2 and Figure 3:

Figure 2: Encoded macro code

Figure 3: Deobfuscated macro code includes PowerShell Script

(Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Threat Guidance Team. Read the original post at: