Narwhal Spider APT group using steganography to deliver URLZone malware to Japanese victims

• The Narwhal Spider threat group has also been operating a new Cutwail spam campaign that provides services to various cybercriminals.
• The campaign targeting Japan was spotted using a combination of steganography and malicious PowerShell.

The URLZone malware is currently being used by a threat group called Narwhal Spider to target victims in Japan. The campaign targeting Japan was spotted using a combination of steganography and malicious PowerShell.

The Narwhal Spider threat group has also been operating a new Cutwail spam campaign that provides services to various cybercriminals. The threat group primarily provides services to malware operators such as Wizard Spider and Bamboo Spider - the developers of TrickBot and Panda Zeus.

“The targets and payloads delivered through Cutwail spam campaigns are determined by the customers of NARWHAL SPIDER,” CrowdStrike researchers, who discovered the new campaign, wrote in a blog.

Modus operandi

The phishing emails targeting Japanese victims contain macro-enabled, malicious Microsoft Excel attachment. When the malicious attachment is opened, the malicious payload begins a deobfuscation routine and then executes a PowerShell command. The malware also checks for whether the targeted system is using the Japanese language.

Once the URLZone is installed onto a targeted machine, the malware downloads an additional payload, which researchers believe could be similar the Gozi banking malware, which has previously also been used to target Japanese victims.

“Cutwail spam levels in the last three months have been significantly lower. The introduction of steganography may suggest that NARWHAL SPIDER has been developing new, innovative methods to evade detection and improve infection rates,” CrowdStrike researchers added. “Although not commonly used by eCrime actors, steganography has been used for malware delivery in the past, such as the Lurk Downloader and StegoLoader.”