What the Avalanche Botnet Takedown Revealed: Banking Trojan Infection in Japan
Internet banking services across the globe have been exposed to the threat by unauthorized money transfers and suffering large-scale losses.
In this landscape, an operation led by international law enforcement agencies has been in effect since November 2016 to capture criminal groups conducting unauthorised online banking transfers and dismantle the attack infrastructure (the Avalanche botnet). JPCERT/CC is one of the many supporters of this operation.
For more information about the operation, please see below:
Europol Press Release:
‘Avalanche’ network dismantled in international cyber operation
Interpol:
‘Avalanche’ network dismantled in international cyber operation
https://www.interpol.int/News-and-media/News/2016/N2016-160
This blog entry presents how JPCERT/CC supports this operation and the current state of malware infection in Japan revealed through our local coordination.
JPCERT/CC’s activities in the operation
Some organizations in support of this operation register domains related to the Avalanche botnet to observe communication between any infected devices and the DNS sinkhole. From all the observed data, CERT-Bund (the National CSIRT of Germany) provides information related to Japanese networks to JPCERT/CC. We then notify administrators of the infected hosts to request investigation and coordination to address the issue.
Characteristics of infected devices in Japan
Figure 1 shows the number of malware infected hosts linked to the Avalanche botnet, which were observed between 5 December 2016 and 31 May 2017. Note that extreme spikes caused by irregularities such as dates without any received data are excluded from the graph.
 |
In December 2016, when we first received data on the Avalanche botnet, there was a daily average of about 17,000 hosts communicating with the DNS sinkhole. However, it decreased to about 11,000 hosts per day at the end of May 2017, thanks to cooperation from our local partners.
In addition, multiple malware families have been observed within the Avalanche botnet. From the data, JPCERT/CC received between 5 December and 4 January, the ratio of malware observed in Japan was as follows:
 |
Rovnix, KINS, Shiotob (a.k.a. URLZone, Bebloh) are known as malware that harvest credentials for Internet banking services. We have confirmed that Rovnix and Shiotob were distributed as attachments to spam emails written in Japanese in 2016.
Conclusion
Through this operation, many infected hosts in Japan have been isolated from the botnet, which resulted in the decreasing trends as in Figure 1. However, besides the malware families hosted in the Avalanche botnet, other types of banking trojans such as Ursnif (or DreamBot) have also been distributed recently through spam emails written in Japanese. JPCERT/CC continues to alert local constituents about these threats.
- Shintaro Tanaka
(Translated by Yukako Uchida)
