URLZone
URLZone is a banking Trojan that can compromise your bank account credentials or conduct other attacks, especially, downloading other Trojans. Its payloads are, frequently, tailored to companies native to Japan, and express a preference for e-mail-based infection methods. Users should educate themselves on protecting their workplace from phishing tactics and use anti-malware services for removing URLZone when it's applicable.
Entering a Zone of Cooperative Software Heists
Using software like a banking Trojan for breaking into accounts for collecting money is nothing new to threat actors, and is a notable characteristic of the threat landscape in South America, thanks to of families like Client Maximus and Sphinx. However, other nations of the world aren't invincible. The URLZone banking Trojan, most often circulating in the Japanese business sector, is representative of the dependencies that these Trojans can grow while supporting one another.
Currently, URLZone seems to be spreading with the aid of one threat actor, although the Trojan's overall lifespan is a decade long. The criminal in question uses e-mail phishing tactics, customized for Japanese recipients, and referring to financial content such as invoices, for tricking victims into compromising their networks. After opening the corrupted attachment and enabling its PowerShell-exploiting macro, the user infects the system with URLZone.
URLZone goes through a series of traditional anti-analysis and sandbox counters before continuing with its payload. Besides being a banking Trojan, by itself, URLZone also installs other threats, with its current attacks deployingCutwail – a spam-sending bot – and Ursnif – a second banking Trojan. Why the criminal is using Ursnif instead of URLZone's built-in functionality for breaking into bank accounts is up for debate, although it might be due to desiring the latter program's powerful backdoor features for taking over the rest of the network. Malware experts also suspect that Cutwail is in use as the distributor for URLZone, due to its relationship with spam e-mail.
Breaking the Chain of Trojans Helping Trojans
Workers who don't open URLZone's Word document or don't enable the macro are safe from its installation attempts. Since phishing e-mails for URLZone's campaigns tend towards the business sector, users should anticipate attacks using heavily-localized and custom-made content for improving the chances of getting clicks from victims. Company, industry, and even employee-specific details may be present.
Compromised computers should receive immediate isolation from both the internet and the rest of the network. Internet access can allow URLZone's payload to continue causing harm, such as Cutwail sending spam or Ursnif's giving the threat actor a remote desktop. With any spyware-related attack, changing passwords after disinfection is the ongoing recommendation of malware analysts.
URLZone uses injections in Windows processes, as well as other features, for avoiding any notice while it's active. Still, professional anti-malware products should identify and delete URLZone, in most cases.
Just like people are part of a sprawling society, Trojans like URLZone aren't, always, alone. When Trojans work together, users need to jam the gears of their data and money-collecting attacks before their intricate strategies can come into play.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.