Japan is the latest country to be targeted with regionalized spam emails used to deliver malware. Symantec has observed several spam email campaigns in recent months targeting countries around the world, including Brazil and two campaigns in India. These campaigns usually feature emails that claim to be from a company or organization from within the targeted country.
While Japan has not been a frequent target of regionalized spam campaigns, we have seen an increasing number of Japanese users targeted with localized emails. The malware used in the various campaigns has ranged from a variant of Trojan.Cidox (also known as Rovnix), specifically used to target Japanese banks, to other Trojans and ransomware, such as Trojan.Bebloh, that are found more globally.
Spam emails in Japan
We have seen spam emails targeting Japanese users by claiming to be about postal deliveries, loans, HR matters, and online shopping. The following email claims to be from a popular Japanese online shopping site and alerts the victim about a failed delivery.
Figure 1. Spam email claiming to be from a popular Japanese online shopping site with the site's name misspelled
The email claims to be from one of Japan's largest online shopping sites, but comes from an email address that misspells the site's name. By noticing the difference in the name, anyone who receives emails like this can avoid opening the attachment and downloading malware on to their computer.
That attachment is an archive file that appears to contain an Adobe Acrobat file (.PDF). It is actually an executable screensaver file, RacutenCoJP_GF84566641T_FDP.SCR, which uses right to left override (RLO) characters to spoof the file extension in order to make the recipient into believing it is an Adobe Acrobat file. When it is executed, it downloads Trojan.Cidox.E. Symantec telemetry indicates this particular Trojan.Cidox.E is only prevalent in Japan, so it’s a safe bet to assume the attacker is only interested in targeting Japanese users.
Different country, same payload
On the other hand, we have observed cases where the spam campaign targets Japanese-speaking users with localized emails, but the payload is not specifically designed for the country. For example, spam email designed in Japanese appears to target email addresses using Japanese domains. However, the file inside of the attachment is identical to the file inside the attachment for spam emails written in German and sent to German email addresses.
Figure 2. Spam email in Japanese sent to Japanese email addresses with attachment file name in Japanese
Figure 3. Spam email in German sent to German email addresses with attachment file name in English
The email in Japanese contains an attachment with a file name in Japanese while the German email contains an attachment with a file name in English. Both are archive files that contain JavaScript files with file names in Japanese and German. The following figure shows both files open in a text editor and the JavaScript inside appears to be identical.
Figure 4. Japanese file and German file with identical JavaScript
Each file has the following hash, proving that they are identical, except for the file name:
- e841ed26a38bc662339cd6305d11a85d
This JavaScript file downloads a Trojan horse that Symantec detects as Trojan.Bebloh. Bebloh can be used to monitor and steal information from compromised computers. The particular threat has been predominantly found in Western countries such as the United States and Germany, indicating that Japan has not been specifically targeted even though the email is in Japanese.
Figure 5. Trojan.Bebloh primarily affects the United States and Germany
Conclusion
While it might be easier to spam a single email worldwide, the attackers behind this spam gone a step further in an attempt to improve their success rate. By using social engineering tactics focused on a specific country, the attackers may be able to trick more people into opening them and executing malware.
Protection
Symantec's .cloud email security provides effective protection against these spam campaigns by blocking the unwanted emails.
Symantec protects its customers with the following signatures:
Antivirus