New Cutwail botnet spam campaign targeting Japan with Bebloh and Ursnif malware

• The campaign abused IQY and PowerShell to deliver the malware variants.
• The spam campaign has already delivered 500,000 emails.

The Cutwail botnet has been distributing a new spam campaign targeting victims in Japan. The campaign abused IQY and PowerShell to evade detection methods and deliver either the Bebloh or the Ursnif malware variants.

The campaign, which began on August 6, has already delivered over 500,000 emails. The spam emails were found using traditional social engineering techniques to trick users into clicking on the malicious attachments. If a victim opens the attached IQY file, it queries the URL in its code.

Modus operandi

According to security researchers at Trend Micro, who discovered the new campaign, the data extracted by the web query file contains a script that can abuse the Excel’s Dynamic Data Exchange (DDE) feature. This in turn powers the execution of a PowerShell process, which checks if the infected system is located in Japan. A Japanese IP address triggers the final payload - Bebloh or Ursnif. However, the malware is not downloaded if the IP address is not located in Japan.

“In the second wave of spam mails detected on August 8, the PowerShell scripts used to download the final payload were obfuscated — a common scheme used to make it difficult for security solutions to analyze the scripts,” Trend Micro researchers wrote in a blog. “We also observed that URSNIF has become the lone malware in the payload. Apart from these changes, the campaign’s infection chain remains similar to the first wave of spam mails.”

Ursnif & Bebloh

Both Ursnif and Bebloh, which are both popular banking malware, have been active in Japan in 2016. Bebloh has been designed to steal money from victims’ bank accounts without alerting them. Meanwhile, Ursnif comes packed with advanced data-stealing features. Ursnif is also capable of browser monitoring and evading sandbox detection techniques.

The Bebloh malware is also capable of collecting a vast amount of information including machine name, keyboard layout, network configuration, OS information computer name, keyboard logs, email credentials, digital certificates and more. Meanwhile, the Ursnif malware saves the stolen data, monitors browser activities, disables protocols in Firefox and deletes itself if it runs in a sandbox environment.

“BEBLOH is a banking trojan designed to steal money from victims’ bank accounts without them even noticing,” Trend Micro researchers said. Meanwhile, URSNIF is known for being a data-stealing malware armed with behaviors that include hooking executable files for browser monitoring and using simple checks to evade sandbox detections, among others.”