Figure 2 Version 216896 (Top) and Version 216887 (Bottom) Tor Function Possibility of two attacker groups behind the sceneįrom investigating DreamBot, we found several common features among those being spread in Japan.ĭreamBot uses Serpent encryption and RSA encryption, etc. In version 216896, check the character strings boxed in red such as the Tor Client or the. As far as we have investigated, the Tor function has been added from version 216896, so we believe it became DreamBot from this version onwards.įigure 2 shows the comparison between Version 216896 (DreamBot) with the Tor function and version 216887 (Ursnif) which is considered to be the previous version. This Ursnif with the Tor module came to be known as DreamBot. When 2017 came in, Ursnif had a function which downloads the Tor module (*1) from an external site, and then communicates to the C2 (command server) via the Tor module. Ursnif is being upgraded every passing day and functions are also being upgraded and revised.
Speaking of Ursnif, it was 2016 when it was rampant in Japan so it's still fresh in memory. There are many codes that are similar to Ursnif. Ransomware 「WannaCry」 Countermeasure Guide rev.1(Japanese) About DreamBot Figure 1 Examples of broadcast emails in JapaneseĭreamBot is a malware that extends the functions of Ursnif (Alias: Gozi) and it is mainly targeting financial institutions to steal authentication information in internet banking. *Regarding the large-scale cyberattack ransomware "WannaCry" I have summarized it here, so please use this as a reference on threat overview and measures that need to be taken by your organization. This time, I tried to investigate the attacker group spreading DreamBot by using a broadcasting email in Japanese
#WHERE DOES DREAMBOT DOWNLOAD TO ZIP#
Both of the attached files were compressed in zip format and the contents of the zip files were executable files (DreamBot) and a "js file" embedded in the word document would download DreamBot from an unauthorized site. In March 2017, even though the Japan Cyber Crime Prevention Center announced a warning about DreamBot, the attack campaign has continued and as of May 2017, we have detected broadcast type of emails in Japanese several times a week spreading the DreamBot infection.įigure 1 shows an example of a broadcast type of email in Japanese received on May 15 and 18.
Attack Vectors Behind Online Banking Malware "DreamBot" Targets JapanĪlthough the damage caused by the WannaCry ransomware has been reported worldwide, in Japan, the attack campaign of the internet banking malware called "DreamBot" is still ongoing.
0 kommentar(er)
