The URLZone malware was first introduced as a banking Trojan back in 2009. However, over the years, the creators of the URLZone malware have introduced several updates to this threat and have repurposed it completely. Now, the URLZone malware serves as a first-stage payload, which is meant to deliver much more threatening and contemporary banking Trojans like the infamous Ursnif Trojan.
Campaigns Targeting Japan
One of the latest campaigns that employed the URLZone malware was targeting Japan. The authors of the URLZone malware had tailored a number of different phishing email templates. These phishing emails would contain a macro-laced attachment, which would carry the payload of the threat. To minimize the chances of antivirus application to detect it, the malicious code in the attachments has been heavily obfuscated.
As a self-preservation technique, the URLZone malware will perform a few scans, which will determine whether the infiltrated machine is being used as a sandbox environment meant to debug malware. This is done by checking:
- If malware debugging applications are present.
- GPU Bios details.
- Processor information.
- Specific Windows Registry entries linked to Virtual Machine software.
Installs Cutwail or Ursnif Banking Trojans
If the results are negative, the URLZone malware will continue its shenanigans. Next, the URLZone malware will launch a bogus copy of Windows Explorer or Internet Explorer, which would either be called ‘explorer.exe’ or ‘iexplore.exe.’ The next step is establishing a connection with the C&C (Command & Control) server of the attackers and downloading a harmful payload, which will then be installed on the compromised machine. In April 2019 the additional malware, which the URLZone threat deployed, were variants of the Cutwail banking Trojan and the Ursnif banking Trojan.
It is fundamental that you take good care of your cybersecurity and make sure to obtain a reputable anti-virus software suite, which will keep your PC safe from threats like the URLZone malware.