Cybereason, creators of the leading Cyber Defense Platform, today announced that its Nocturnus team discovered a new, undocumented variant of the prolific Ursnif banking malware, specifically customized for, and aimed at, Japanese users. The variant is targeting specific security products used to protect Japanese users from banking trojans. Victims are typically infected by opening phishing emails, and in many cases these emails lure unsuspecting users to open attachments disguised as invoices.
Assaf Dahan, Cybereason’s senior director, head of threat hunting, discovered the new Ursnif variant. This variant has a completely new and stealthy persistence mechanism, leaving a very small digital footprint and evading many security products currently on the market. In addition, Ursnif comes with robust, built-in information stealing modules, focusing on mail account stealers as well as a digital wallets-stealing module.
“Ursnif has caused untold global damage, costing individuals tens of millions of dollars in losses. The adversaries are after the money, but will try to capitalize on any other sensitive information they can obtain,” added Dahan. “Recently, we are seeing banking trojans that are engaging more and more in information stealing and are not only after financial data. This could be tied to a shift in user behavior, to mobile online banking, as well as the efficiency of security products that prevent online theft and fraud.”
Dahan also discovered that the threat actors behind the campaign are running a highly localized attack strategy and are conducting several checks on location, language, and other settings to confirm the device and target is located in Japan. The language check provides two benefits to the malware: it allows for a controlled and intentional targeting of a single market, and it helps the malware avoid most sandboxes and virtual machines used by researchers (the majority of those don’t have the Japanese language installed or set by default).
To review Cybereason’s full analysis and findings on the attack, please visit:
Cybereason, creators of the leading Cyber Defense Platform, gives the advantage back to the defender through a completely new approach to cybersecurity. Cybereason offers endpoint detection and response (EDR), next-generation antivirus (NGAV), and active monitoring services, powered by its cross-machine correlation engine. The Cybereason suite of products provides unmatched visibility, increases analyst efficiency and effectiveness, and reduces security risk. Cybereason is privately held, has raised $189 million from top-tier VCs, and is headquartered in Boston, with offices in London, Tel Aviv, and Tokyo.
Director, Public Relations