The Gozi banking trojan has set its sights for a new land: Japan, which is a country with a low rate of financial malware activity.
According to IBM X-Force data, Gozi (aka Ursnif) has lately moved on from its traditional targets in North America, Europe and Australia to hit banks and payment providers in Japan.
“In most cases of malware migration, cyber-criminal groups with adequate resources are looking for easier money, less security and an element of surprise for users who are less accustomed to their spam ploys and social engineering during the banking session,” IBM X-Force researchers explained, in an alert. “[Also], the history of organized cybercrime in Japan is not very long. The past five years featured more generic malware and local attackers using proxy changers more than anything else.”
Many other organized groups, such as those behind Dridex and TrickBot, target banks in as many as 40 countries but have largely stayed away from Japan. This is likely because of the “connections other gangs have with local cybercrime and money-laundering groups. Even on the internet, gangs often stick to their own turf,” IBM X-Force researchers noted.
Banking, as it were, on user unfamiliarity with these types of campaigns, starting in September, Gozi operators began spreading emails with fake attachments and malicious links purporting to come from financial services and payment-card providers, according to IBM X-Force, with campaign email spikes taking place in cyclical weekly rounds, usually peaking on Tuesday evenings. Attempted infections peak on Thursdays and Fridays and are relatively low during the weekend and early weekdays.
The group is using secure sessions, web injection attacks and, in some cases, page redirections, to grab data. This Gozi variant also targets user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.
“In terms of its development cycles, Ursnif was the most active malware project in 2016, topping other banking Trojans with the largest number of updates made to its loader and binary to evade security research and detection,” IMB X-Force said. “It has kept its position so far in 2017.”