The unstolen Matrix

After having handled thousands and thousands of phishing emails/webpages, they usually don’t actually reach me in any way or form. They are processed and added to our detection list in what is now a merely routine task. But recently I got a mail which was different because it appeared to be sent from my bank.

Spammers send out huge amounts of such emails over the Internet. In this case it reached our address that receives malicious samples. So we didn’t need to go and search for any maliciousness – it came to us of its own volition.
Usually I can spot fake emails because they concern organizations which I have no connection to. But this time it was different because it was a bank that I actually use. My salary goes there and I got a clear insight into how the first stage of social engineering is accomplished. It built a kind of ‘trusted relation’ because it came from ‘my bank’ and only they know that I am a customer there.

In the past, fake emails like this were often easy to identify due to the terrible spelling and/or grammatical mistakes. But this time the mail content looked quite convincing, at least at first glance.
The Japanese language is incredibly rich and beautiful because it consists of an extensive system to express politeness and formality. Some phrases in the email simply lacked the level of a well-educated writer.

The email had an executable file attached.
Its purpose is to steal the passwords and “Transaction Authentication Number” (TAN) of unsuspecting users.
Here is a screen capture of the mail attachment when executed …

And this is a snapshot of a real matrix that has not been stolen. This is mine and the numbers are rendered unreadable so that you cannot retrieve money from my bank account :-).

According to the “Information-technology Promotion Agency Japan” (IPA) and the “Japan Computer Emergency Response Team Coordination Center” (JPCERT), some similar binary files were received and reported by users in Japan. The “Bank of Tokyo-Mitsubishi UFJ” is aware of this malicious activity and posted a warning to its users on 25 August.

Another recent case may be a sign that attacks on Japanese organizations are on the rise.
Here is a phishing web page hosted in Poland that was still alive at the time of writing. Besides our Kaspersky Phishing-Popup, the “Opera” browser also warns about the dangers of this site.

We were able to discover the related “Phish-Kit”, a zip archive containing all the files for this threat. The content suggests that the criminal who planted these files might be Romanian. Here are the details:

We can see a Gmail address set as the receiver of the harvested data.
Users of Kaspersky Lab solutions are protected from this threat and, as usual, we would like to remind everybody to be extremely cautious with executing mail attachments of any kind from strangers.

The unstolen Matrix

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox