{
	"id": "fa81988b-8c3f-406d-907d-ea0c17706664",
	"created_at": "2026-04-06T00:13:29.102389Z",
	"updated_at": "2026-04-10T03:21:49.27211Z",
	"deleted_at": null,
	"sha1_hash": "8d70f521dbde7e82782f127672c8dbca53a79033",
	"title": "Vawtrak and UrlZone Banking Trojans Target Japan | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 331278,
	"plain_text": "Vawtrak and UrlZone Banking Trojans Target Japan | Proofpoint\r\nUS\r\nBy February 05, 2016 Proofpoint Staff\r\nPublished: 2016-02-05 · Archived: 2026-04-05 12:37:25 UTC\r\nOverview\r\nIn January and February 2016, Proofpoint researchers observed threat actors spreading banking Trojans in Japan\r\nand other countries that had not recently experienced high volumes of this family of malware. These countries\r\ncertainly have not been targeted previously in the same way as the UK, United States, and others. Instead, it\r\nappears that the new campaigns in Japan (and Spain) are continuations of the trend first observed with Shifu in\r\nOctober 2015. The key takeaways are:\r\nThe UrlZone banking Trojan is spreading via email spam and targeting Japanese and Spanish banks\r\nThe Vawtrak Trojan is spreading using Angler Exploit Kit and targeting Japanese banks\r\nBoth Trojans are using the same dynamic injects system that allows them to manipulate a financial\r\ninstitution’s website content (likely sharing resources or renting from the same third party)\r\nThe injects system appears to be written by a Russian author\r\nUrlZone Banking Trojan Campaigns\r\nOn January 21st of this year, Proofpoint researchers observed a large spam campaign consisting of tens of\r\nthousands of emails targeting Japanese email accounts. Other researchers have also observed an uptick in UrlZone\r\nactivity in Japan but there are additional details behind this emerging threat that are worth pointing out.\r\nEmails with the subject “copy 3” from multiple Gmail accounts contained a zipped executables and an empty\r\nemail body. Proofpoint observation of actors such as those spreading Dridex over the past year shows increasing\r\nuse of very simple lure techniques like this throughout 2015. The simplicity and lack of apparent ruse does not\r\nappear to hinder this technique: it is simple to create, requires no imagination on the part of the actor, needs no\r\nlocalization, and may be sufficient to entice the user to click.\r\nhttps://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\nPage 1 of 10\n\nFigure 1: Email lure\r\nThe attachment utilized in this campaign is Andromeda. Andromeda is multi-purpose bot, but in this case it is\r\nprimarily used to download UrlZone. However, as is often the case in malware ecosystems, Andromeda was also\r\nobserved loading a plethora of additional malware.\r\nUrlZone: a man-in-the-browser banking Trojan that has been around for several years\r\nPushdo Downloader: aside from adding the infected computer to a spam botnet, the loader also\r\ndownloaded a Neutrino Bot\r\nNeutrino Bot: a multi-purpose bot capable of stealing passwords, DDoS, loading additional payloads, etc.\r\nIn this instance, it downloaded Pony for additional stealing.\r\nPony: primarily used for loading additional malware and stealing passwords and Bitcoin wallets. This\r\ninstance was used for its stealing capabilities.\r\nIt is also worth mentioning that Proofpoint observed a related large related Cryptowall campaign on January 27,\r\n2016. The Cryptowall downloaded the same Neutrino Bot that was present in the UrlZone campaign. Also, on\r\nDecember 11, 2015, we observed an email campaign delivering the same Andromeda botnet found in the UrlZone\r\ncampaign, but in the December campaign, Andromeda only downloaded Pushdo. The observations suggest that\r\nthese campaigns are likely connected by shared affiliates and/or spamming partners.\r\nhttps://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\nPage 2 of 10\n\nFigure 2: UrlZone and related campaigns\r\nThe table below shows the banks (and customers) targeted in the UrlZone campaign.\r\nBank County Targeted Domains\r\nBankiter Spain empresas.bankinter.com\r\nBanco Sabadell Spain\r\nwww.bancsabadell.com\r\nww1.sabadellcam.com\r\nww1.sabadellurquijo.com\r\nhttps://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\nPage 3 of 10\n\nBanca Multicanal Spain www.ruralvia.com\r\nSumitomo Mitsui Banking Corporation Japan directd?.smbc.co.jp\r\nThe Musashino Bank Japan ib1.musashinobank.co.jp\r\nThe Yamagata Bank Japan ib1.yamagatabank.co.jp\r\nJuroku Bank Japan bk.juroku.co.jp\r\nChugoku Bank Japan direct.chugin.co.jp\r\nBank of The Ryukyus Japan direct.ryugin.co.jp\r\nHachijuni Bank Japan direct1.82bank.co.jp\r\nThe Daishi Bank Japan ib.daishi-bank.co.jp\r\nHokkoku Bank Japan ib.hokkokubank.co.jp\r\nShinkin Bank Japan www11.ib.shinkin-ib.jp\r\nThe Norinchukin Bank Japan *direct.jabank.jp\r\nThe Tajima Bank Japan *parasol.anser.ne.jp\r\nResona Bank Japan *ib.resonabank.co.jp\r\nThe Japan Net Bank Japan *login.japannetbank.co.jp\r\nhttps://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\nPage 4 of 10\n\nTsukuba Bank Japan ib.tsukubabank.co.jp\r\nThe Awa Bank Japan ib1.awabank.co.jp\r\nMIYAZAKIBANK Japan mib.miyagin.co.jp\r\nThe Hiroshima Bank Japan direct.ib.hirogin.co.jp\r\nFigure 3: Japanese and Spanish banking sites targeted by this instance of UrlZone\r\nVawtrak Banking Trojan Campaigns\r\nWhile our colleagues at Sophos and Trend previously wrote about Vawtrak targeting Japan in 2014 and earlier,\r\nthere are so far no documented campaigns of the updated Vawtrak Trojan targeting Japan in 2015 or 2016. On\r\nFebruary 2, 2016, however, we observed Angler EK delivering Vawtrak ID 28 to Japanese users.\r\nFigure 4: Angler EK delivering Vawtrak payload with Japanese targeting\r\nThe table below shows the banks specifically targeted by Vawtrak in the recent campaign:\r\nBank County Targeted Domains\r\nSumitomo Mitsui Banking Corporation Japan directd?.smbc.co.jp\r\nThe Musashino Bank Japan ib1.musashinobank.co.jp\r\nThe Yamagata Bank Japan ib1.yamagatabank.co.jp\r\nJuroku Bank Japan bk.juroku.co.jp\r\nhttps://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\nPage 5 of 10\n\nChugoku Bank Japan direct.chugin.co.jp\r\nBank of The Ryukyus Japan direct.ryugin.co.jp\r\nThe Daishi Bank Japan ib.daishi-bank.co.jp\r\nHokkoku Bank Japan ib.hokkokubank.co.jp\r\nHachijuni Bank Japan direct1.82bank.co.jp\r\nTsukuba Bank Japan ib.tsukubabank.co.jp\r\nThe Awa Bank Japan ib1.awabank.co.jp\r\nMIYAZAKIBANK Japan ib.miyagin.co.jp\r\nThe Hiroshima Bank Japan direct.ib.hirogin.co.jp\r\nShinkin Bank Japan www11.ib.shinkin-ib.jp\r\nThe Norinchukin Bank Japan direct.jabank.jp\r\nResona Bank Japan ib.resonabank.co.jp\r\nThe Japan Net Bank Japan login.japannetbank.co.jp\r\nThe Tajima Bank Japan parasol.anser.ne.jp\r\nSBI Sumishin Net Bank Japan netbk.co.jp\r\nhttps://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\nPage 6 of 10\n\nFigure 5: Japanese banking sites targeted by Vawtrak ID 28\r\nDynamic Injects Shared by Vawtrak and UrlZone\r\nAfter extracting the injects code from both Trojans we observed that there is an overlap in the targeted banks. Both\r\nbanking Trojans are using the same dynamic injects system that allows them to manipulate a financial institution’s\r\nwebsite content. This means that the two banking Trojans use the same JavaScript code for stealing login\r\ncredentials, PINs, one-time-passwords, etc. This could also mean that the responsible actors are sharing resources\r\nor renting from the same third party. Additionally, the injects JavaScript code appears to be written by a Russian\r\ndeveloper, as observed by code comments such as “Startuem nash interval na proverku statusa”, which translates\r\nto “Begin our interval for checking the status”.\r\nFigure 6: Screenshot of part of the inject code\r\nConclusion\r\nAs others have noted, the emergence of banking Trojans in Japan and Spain presents some particular challenges.\r\nWhile organizations in other countries like the UK and the United States have been targets for massive Dridex,\r\nDyre, Vawtrak (and other banking Trojans) campaigns and businesses there have implemented a number of\r\nprotections, countries with less experience combatting these threats may find themselves vulnerable to\r\nconsiderable losses. Unfortunately, as threat actors saturate targets in many geographies, it's only a matter of time\r\nuntil new geographies begin experiencing the same sorts of volumes and persistence that characterize recent\r\ncampaigns with Dridex and other malware.\r\nAppendix A : IOCs from campaigns containing UrlZone\r\nValue Type\r\n1a86cf4fb4dcb0e4e3aad41bc039d8302e0fd6f9fabe203efc77e3aec35e2f66 Andromeda hash\r\n606708C9479E1DF26545D469D3D54A0E268F01AD8AA061F6504968C3B1594A0C UrlZone hash\r\n757F2C62637765CBC8C7B9F5F63ED4AB00F34485F516A66B2A81B4EDFB731920 Pushdo hash\r\nhttps://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\nPage 7 of 10\n\nCE08A35831F6F5777DB6E8FEA9BAC40808917FEC019338BA00285082737611FB Neutrino Bot hash\r\nE90050D963D376C1F75416EBF9BC6FFA2299046F8ADD1DDE6D67752443587411 Pony hash\r\n1d6d7ea0eeec99da1add9e83f672533eeee900dc817018ee6edbf635bb08cf0a UrlZone hash\r\nf3b9815ea4a6c603eafadb26efebec21565deec315ee007d59e92f0f656a90bb UrlZone hash\r\n15896a44319d18f8486561b078146c30a0ce1cd7e6038f6d614324a39dfc6c28 UrlZone hash\r\n[hxxp://huremoke[.]net/get.php] Andromeda C2\r\n[hxxp://votehad[.]su/paris.php] Andromeda C2\r\n[hxxp://shardsound[.]net/images.php] Andromeda C2\r\n[hxxp://kernsmee[.]ru/news.php] Andromeda C2\r\n[hxxp://masabodhi[.]com/andoluse.php] Andromeda C2\r\n[hxxps://hwnbv5woeedjffn[.]com] UrlZone C2\r\n[hxxp://5.45.179[.]179/ajax.php] Neutrino Bot C2\r\n[hxxp://5.45.179[.]179/p/ajax.php] Pony C2\r\n[hxxp://www.fondazionelanza[.]it/eng/v3.exe]\r\nAndromeda\r\ndownloading\r\nUrlZone\r\nhttps://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\nPage 8 of 10\n\n[hxxp://www.fondazionelanza[.]it/eng/akeyb.exe]\r\nAndromeda\r\ndownloading\r\nPushdo loader\r\n[hxxp://www.tajjquartet[.]com/ff/serif/payload.exe]\r\nPushdo loader\r\ndownloading\r\nNeutrino Bot\r\n[hxxp://www.tajjquartet[.]com/ff/serif/ponik.exe]\r\nNeutrino Bot\r\ndownloading\r\nPony\r\n[hxxps://ifree-online[.]com]\r\nUrlZone Injects\r\nC2\r\nAppendix B: IOCs from campaigns containing Vawtrak\r\nValue Type\r\n9f1de72234dcf77ddf25b69df98058a7f9e633f803ddc2720209bb315ef3a04c Vawtrak hash\r\n[hxxp://begiekee[.]com/rss/feed/stream] Vawtrak C2\r\n[hxxp://searalihid[.]com/rss/feed/stream] Vawtrak C2\r\n[hxxp://zofienie[.]com/rss/feed/stream] Vawtrak C2\r\n[hxxp://deehiesei[.]com/rss/feed/stream] Vawtrak C2\r\n[hxxp://keanees[.]com/rss/feed/stream] Vawtrak C2\r\nhttps://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\nPage 9 of 10\n\n[hxxp://peazor[.]com/rss/feed/stream] Vawtrak C2\r\n[hxxp://xeaberal[.]com/rss/feed/stream] Vawtrak C2\r\n[hxxp://dietoog[.]com/rss/feed/stream] Vawtrak C2\r\n[hxxp://mafoovoo[.]com/rss/feed/stream] Vawtrak C2\r\n[hxxp://geeseazei[.]net/rss/feed/stream] Vawtrak C2\r\n91.242.163[.]74:8080 Vawtrak C2\r\n[hxxp://5.187.2[.]19/module/272a5ad4a1b97a2ac874d6d3e5fff01d] Vawtrak downloading module\r\n[hxxp://5.187.2[.]19/module/2f6421d9a99d75c5d153edda3f1fe5e3] Vawtrak downloading module\r\n[hxxp://5.187.2[.]19/module/9079dae8e107342d8f3747fa74ab8a57] Vawtrak downloading module\r\n[hxxp://5.187.2[.]19/module/7afb9776a27d97b2f43f8de256448072] Vawtrak downloading module\r\n[hxxp://5.187.2[.]19/upd/28] Vawtrak downloading update\r\nSource: https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\nhttps://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\nPage 10 of 10\n\n https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan  \nBanca Multicanal  Spain www.ruralvia.com\nSumitomo Mitsui Banking Corporation Japan directd?.smbc.co.jp\nThe Musashino Bank Japan ib1.musashinobank.co.jp\nThe Yamagata Bank Japan ib1.yamagatabank.co.jp\nJuroku Bank  Japan bk.juroku.co.jp\nChugoku Bank  Japan direct.chugin.co.jp\nBank of The Ryukyus Japan direct.ryugin.co.jp\nHachijuni Bank Japan direct1.82bank.co.jp\nThe Daishi Bank Japan ib.daishi-bank.co.jp\nHokkoku Bank  Japan ib.hokkokubank.co.jp\nShinkin Bank  Japan www11.ib.shinkin-ib.jp\nThe Norinchukin Bank Japan *direct.jabank.jp\nThe Tajima Bank Japan *parasol.anser.ne.jp\nResona Bank  Japan *ib.resonabank.co.jp\nThe Japan Net Bank Japan *login.japannetbank.co.jp\n  Page 4 of 10 \n\nhttps://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan   \nChugoku Bank  Japan direct.chugin.co.jp\nBank of The Ryukyus Japan direct.ryugin.co.jp\nThe Daishi Bank Japan ib.daishi-bank.co.jp\nHokkoku Bank Japan ib.hokkokubank.co.jp\nHachijuni Bank Japan direct1.82bank.co.jp\nTsukuba Bank  Japan ib.tsukubabank.co.jp\nThe Awa Bank  Japan ib1.awabank.co.jp\nMIYAZAKIBANK  Japan ib.miyagin.co.jp\nThe Hiroshima Bank Japan direct.ib.hirogin.co.jp\nShinkin Bank  Japan www11.ib.shinkin-ib.jp\nThe Norinchukin Bank Japan direct.jabank.jp\nResona Bank  Japan ib.resonabank.co.jp\nThe Japan Net Bank Japan login.japannetbank.co.jp\nThe Tajima Bank Japan parasol.anser.ne.jp\nSBI Sumishin Net Bank Japan netbk.co.jp\n  Page 6 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan"
	],
	"report_names": [
		"Vawtrak-UrlZone-Banking-Trojans-Target-Japan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434409,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d70f521dbde7e82782f127672c8dbca53a79033.pdf",
		"text": "https://archive.orkl.eu/8d70f521dbde7e82782f127672c8dbca53a79033.txt",
		"img": "https://archive.orkl.eu/8d70f521dbde7e82782f127672c8dbca53a79033.jpg"
	}
}