MalwareUsed by 1 actor

URLzone

URLzone, also known as Bebloh, is an e-banking trojan/banking trojan associated in the provided content with the Avalanche criminal infrastructure. The content states that Avalanche hosted URLzone and also provided double-fast-flux communication infrastructure for botnets including URLzone. Avalanche-linked activity targeted Microsoft Windows systems and more than 40 major financial institutions, and associated malware families were described as capable of stealing user credentials and sensitive financial data including banking and credit card information, providing unauthorized remote access, distributing additional malware, and enabling infected systems to participate in DDoS activity. Law-enforcement and industry reporting cited in the content links Bebloh/URLzone infections to German-speaking victims and notes that investigators found Bebloh and Ransomlock shared command-and-control infrastructure. Additional reporting in the content says Spamhaus identified 35 command-and-control servers associated with URLzone. Proofpoint also observed a campaign targeting Japanese users in which malicious Microsoft Excel documents dropped URLZone and ultimately led to a final Ursnif payload. High-confidence aliases in the content identify URLzone as Bebloh.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA544

...campaign targeting Japanese users dropping URLZone from malicious Microsoft Excel documents, which eventually led to a final Ursnif payload.

via proofpoint threat insight blogproofpoint.com

MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1566PhishingEvidence1

TacticInitial Access

The criminal groups have been using the Avalanche infrastructure since 2009 for conducting malware, phishing and spam activities. They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims.

T1566.001Spearphishing AttachmentEvidence1

TacticInitial Access

They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims.

T1566.002Spearphishing LinkEvidence1

TacticInitial Access

They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims.

Credential Access

2 techniques

T1555Credentials from Password StoresEvidence1

TacticCredential Access

Millions of private and business computer systems were also infected with malware, enabling the criminals operating the network to harvest bank and e-mail passwords.

T1649Steal or Forge Authentication CertificatesEvidence2

TacticCredential Access

Victims may have had their sensitive personal information stolen (e.g., user account credentials).

Collection

1 technique

T1005Data from Local SystemEvidence1

TacticCollection

A system infected with Avalanche-associated malware may be subject to malicious activity including the theft of user credentials and other sensitive data, such as banking and credit card information.

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence4

TacticCommand and Control

Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities... infected computers can no longer reach the criminal command and control computer systems and so criminals can no longer control the infected computers.

T1090.003Multi-hop ProxyEvidence1

TacticCommand and Control

Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.

T1568.001Fast Flux DNSEvidence4

TacticCommand and Control

Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

proofpoint threat insight blogNews

Jan 12, 2018

Holiday lull? Not so much

Payload dropped from malicious Excel documents as part of an infection chain that ultimately delivers Ursnif.

dark readingNews

Dec 1, 2016

Avalanche Botnet Comes Tumbling Down In Largest-Ever Sinkholing Operation

Banking trojan associated with Avalanche infrastructure.

dark readingNews

Dec 1, 2016

Avalanche Botnet Comes Tumbling Down In Largest-Ever Sinkholing Operation

Banking trojan associated with Avalanche infrastructure.

us cert gov legacyNews

Dec 1, 2016

Avalanche (crimeware-as-a-service infrastructure) | CISA

Banking malware family distributed via Avalanche infrastructure and associated with credential and financial data theft.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.