• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   BEBLOH Expands to Japan in Latest Spam Attack

BEBLOH Expands to Japan in Latest Spam Attack

  • Posted on:July 5, 2016 at 7:42 pm
  • Posted in:Malware, Spam
  • Author:
    Janus Agcaoili (Threat Response Engineer)
0

An old banking Trojan has been operating in Europe on a low level has spiked in activity after migrating to Japan. Cybercriminals are using local brand names such as local ISP providers and legitimate looking addresses to fool users into downloading malware that can steal information by monitoring browsers, file transfer protocol (FTP) clients, and mail clients. Its targets? Mostly rural banks.

BEBLOH is a banking Trojan that has been around since as early as 2009. It has outlived several competitors including Zeus, and SpyEye. It is designed to steal money from unsuspecting victims right off their bank accounts without them even noticing. BEBLOH always came up with new defensive measures to avoid AV products, and this time is no different. BEBLOH is also known for hiding in memory and creating a temporary new executable file upon shutdown, and deleting said file after re-infecting the system.

Local Issue

Currently in Japan, most spam written in Japanese lead to banking Trojans rather than other malware like ransomware. Based on a press release (in Japanese) by Japan’s National Police Agency last March 3, 2016, rural banks and credit unions banks have been targeted apart from major banks. They have reported that 2015 reflected the country’s biggest loss to banking Trojans amounting to about ¥2.65 billion or USD 25.8 million. With BEBLOH adding to the fray, Japan could face bigger problems with banking Trojans.

Currently, we have observed that URSNIF and BEBLOH were active in Japan, along with other traditional banking Trojans like ZBOT. From almost zero detections for the first eleven months of 2015, BEBLOH started its campaign with 324 detections Japan on December 2015. Detections reached as high as 2,562 on March 2016, the same month as the press release above was published.

Everyone’s a possible target

BEBLOH targets both end-users and enterprise employees in its campaign. We saw emails sent to company email accounts as well as private accounts. And subjects differ from personal matters such as loans, shopping, and deliveries, to professional subjects like human resources. This behavior makes for a wider spread and infection.

Translation: “This mail is sent with an electronic signature to enhancing security.
This is to inform you that we have received remittance on March 3, 2016.
electric signature (Digital signature)”

Translation: “complete image of records”

Figure 1. Sample spam emails sent to individuals and groups

New Routines

BEBLOH changes its packers quickly and frequently. Some versions follow a step in its unpacking to process hollowing on its own process, while other versions unpack in its own memory before process hollowing on a legitimate process (ex. explorer.exe/iexplore.exe). This allows the malware to evade file detection as the detection patterns need to keep up with BEBLOH’s packer changes.

Once installed, BEBLOH connects to a command and control (C&C) server, and has types of responses: update itself, sleep, and download web inject configuration. As mentioned, BEBLOH can steal information and use this to pillage victims’ bank accounts.

So far, we have observed that TSPY_URSNIF, a spyware that monitors browsers, file transfer protocol (FTP) clients, and mail clients. Take note that all banking Trojans run in the same or in a similar way.

Apart from the spyware, BEBLOH also downloads BKDR_PUSHDO, a spambot malware.

While communicating with the C&C server, we saw that the URLs used on its download routine changed depending on the reply of the C&C server. We have observed samples that had three different download URLs on three separate days.  The responses from the URLs are usually encrypted. But when decrypted, they use the following format: CV {value}/r/n>DI/r/n>LD {URL}.


Figure 2. Decrypted communication from C&C server

For now, we can see that BEBLOH is monitoring 17 different Japanese banks. These comprise of rural banks, credit union banks, online banks, and major banks. By targeting smaller banks, the attackers hope that their actions would go unnoticed. Attackers are able to take advantage of smaller banks with less sophisticated security. It seems that this has been the banking Trojan landscape of Japan in 2016.

Trend Micro endpoint solutions such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security can protect users from this threat by detecting malicious files, and spammed messages as well as blocking all related malicious URLs.

For enterprise, our Trend Micro Deep Discovery Email Inspector uses advanced detection techniques to identify and block spear phishing emails which is used in these attacks to fool users into downloading and opening malicious attachments. It can block malicious email attachments such as office documents with macro malware, PDFs, executables, scripts, and more. This can also block malicious URLs embedded in body or subject of messages and URLs embedded within documents.

The following hashes are related to this attack:

  • 342f10ba182897ef5eb58a10b8d5173a47d04760 – TSPY_BEBLOH.RLS
  • 8ca281b70f1a7a9017bd29ada84ef28e6e6cc2c4 – TSPY_BEBLOH.YYS
  • cd34148a1ce37b13389647674653e981cfacd522 – TSPY_BEBLOH.YYU
  • d628a73fba0782df945db4e2887cf9981a5814c8 – TSPY_BEBLOH.TZZ

With additional insights by Yuka Higashi

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: banking TrojanBEBLOHSpam

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.