Since the early hours of October 8, employees of various corporations in Japan started to receive suspicious-looking emails which turned out to carry malicious attachments. These emails are part of a wave of malware-ridden spam attacks that are currently active in Japan. There are two variations of the emails: one is an order confirmation from a Japanese equipment supplier and the other pretends to come from a local printing company. Some examples of the emails can be seen in the following image.
Figure. Samples of Japanese emails carrying the Microsoft Word document containing a malicious macro
Malicious contents The emails come with an attached Microsoft Word document file. The document contains a malicious macro, which attempts to download the same executable file (65g3f4.exe) from multiple remote locations. The multiple downloads is probably a redundancy measure in case some sources are taken down. We have observed download attempts from the following domains:
Symantec detects the malicious Word document as W97M.Downloader. W97M.Downloader is a known vehicle for other threats such as Trojan.Cryptodefense and Trojan.Cridex. In this case, the document is downloading a banking Trojan which Symantec detects as Infostealer.Shifu. Installing such a Trojan on corporate computers could give the attackers a foothold on the network from which they can spread and find other items of value.
Made for Japan? Our telemetry shows that this particular variant of Infostealer.Shifu is being distributed almost exclusively in Japan, as 98 percent of the detections are located in this region. There are currently no indications that specific industries or companies are targeted.
Mitigation To reduce the risk of these types of attacks, users should take the following precautions:
Update – October 13, 2015: Symantec Security Response has changed the detection for the banking Trojan related to this incident from Infostealer.Shiz to Infostealer.Shifu.