Ursnif, also known as Gozi, financial malware set its new target – Japan. Japan is known for a low volume of banking malware activities. However, IBM X-Force data, the Gozi malware has changed its targeted countries from USA, Europe and Australia to Japan.
The researchers also add that:
In most cases of malware migration, cyber-criminal groups with adequate resources are looking for easier money, less security and an element of surprise for users who are less accustomed to their spam ploys and social engineering during the banking session, the history of organized cybercrime in Japan is not very long. The past five years featured more generic malware and local attackers using proxy changers more than anything else.
Interestingly, other cybercriminals in the financial sector, including Dridex and TrickBot target about 40 countries, but not Japan. Moreover, the cyber attacks in Japan are not common and since 2012 Japanese IT infrastructure was only attacked by applying proxy changers. On the other hand, in 2015 the situation got a bit worse with Shifu Trojan’s emergence until 2017 when it stopped its malicious activities. IBM X-Force researchers explained that low cybercrime rate in Japan could be due to “the connections other gangs have with local cybercrime and money-laundering groups. Even on the internet, gangs often stick to their own turf.”
The Gozi malware started to spread malicious false emails that include malicious and fraudulent attachments and links in September. The Trojan aims to imitate the financial service providers and banks. In addition, according to the security researchers at IBM X-Force, the attackers behind the Trojan performance by cyclical weekly rounds – often increasing the volume on Tuesday nights, also peaking on Thursdays and Fridays. In contrast, the rate of attempted infections is way much lower on weekends and Mondays.The researchers also announced that the group behind the Gozi applies secure sessions and web injection assaults. In addition to that, in some circumstances, Gozi also uses page redirections to steal information.
The mentioned Gozi Trojan version also aims to steal consumer credentials for mail, e-commerce sites, cloud storage and cryptocurrency exchange platforms.The Trojan was said to be the most active malicious code in the industry in 2016, according to IBM X-Force data on the financial malware. In addition, Gozi continues to dominate the industry.
The list below provides the information about prolific banking malware families activities in 2017:
- 24% – Zeus variations
- 21% – Gozi variants
- 15% – Ramnit
- 14% – Dridex
- 9% – Zeus Sphinx
- 7% -Trick Bot
- 3% – Gootkit
- 2% – Qadars
- 1% – Zeus Panda 
“In terms of its development cycles, Ursnif was the most active malware project in 2016, topping other banking Trojans with the largest number of updates made to its loader and binary to evade security research and detection. It has kept its position so far in 2017,” – researchers at IBM X-Force reported.