Threat Research

Fake Tsunami Alert Brings Malware to Japan

By Yueh-Ting Chen and Evgeny Ananin | December 19, 2018

Threat Analysis Report from FortiGuard Labs

In November, FortiGuard Labs uncovered a spam campaign that included a tsunami alert for Japanese citizens. The spam e-mails contained a fake link to the Japan Meteorological Agency (JMA), which when clicked downloaded the Smoke Loader trojan. After monitoring the fake site, we found that the link for downloading Smoke Loader was replaced at the end of November by a new link that deployed another high performance trojan, AZORult, that harvests and exfiltrates data from compromised systems.

Both of these malware versions are only sold at Russian underground forums. Currently, the fake JMA site is still acting as an AZORult C&C server that redirects users to the legit JMA site. After further research into the domain information behind the fake JMA site, we found another campaign related to the same actor.

In this article, we analyze the malware downloaded from the fake JMA website and research another campaign by the same actor.

Fake Tsunami Alert

During November 2018, JMA twice announced that a fake tsunami alert mail campaign was underway targeting people living in North East Region of Japan. The official announcements can be found in the following links:

The content of these spams do not use native Japanese. Because of their grammar issues, they were likely either written by a foreigner or translated by machine. Both of these spams lead victims to inadvertently download a malicious file. The download link is below:


Figure 1. Example of fake tsunami alert spam

The domain name attempts to look like a legit JMA domain -, but instead of "."(dot) it has a "-"(hyphen) character in the name. The Japan Meteorological Agency alerted users through twitter about this difference.

Figure 2. Difference between the real JMA domain and the fake one

Website Payload Changes Over Time

We have monitored the malware download link for a month, and have recorded the following changes made to the downloaded malware.

Table 1. Changes to the Malware Downloading Link in hxxp://www.jma-go[.]jp/jma/tsunami/tsunami_regions.scr
Table 2. Changes made to the Malware Downloading Link in hxxp://jma-go[.]jp/jma/tsunami/1.exe

The file 1.exe was removed from the website in late November.

After the 25th of November, the downloaded malware was changed from Smoke Loader to AZORult. Both of them use the jma-go[.]jp domain as C&C server.

Smoke Loader C&C server:


AZORult C&C server:


Smoke Loader

All four samples belonging to Smoke Loader family use the same shellcode loader and final payload. Once downloaded, they try to download extra plugin DLLs or next stage malware. Unfortunately, we could not observe the next stage attack in this campaign. Here is a detailed report for Smoke Loader written by CERT.PL. We will mention some parts of the functionalities in the next section.


Smoke Loader uses multiple anti-analyzing techniques before it runs its final payload.

We found that a variety of techniques are used in this campaign, including some basic techniques like anti-debugging checking for PEB flag and jump chains.

It checks the usage of sbiedll to detect if it is being run in a sandbox.

Figure 3. Anti-sandbox technique for checking the module handle of sbiedll

It also checks the usage of virtual machine using some famous virtual machine names when comparing values in the following registry entries:

·       HKLM\System\CurrentControlSet\Services\Disk\Enum

·       HKLM\System\ControlControlSet\Enum\IDE

·       HKLM\System\ControlControlSet\Enum\SCSI

Figure 4. Anti-vm technique for searching for specific strings in registry entries

Keyboard Layout Check

It also checks the keyboard language of the victim to ensure that it does not infect Russian and Ukrainian users.

Figure 5. Keyboard layout checks

PROPagate Code Injection

This injection technique was originally found in 2017, and we noticed that Smoke Loader has used this technique since July, 2018. Here is a technical report which discusses this trick.

We found the following code at the end. It configures a UxSubclassInfo structure with a callback function to run explorer.exe, and triggers injected code that then sends a message to a window. After triggering the callback function, it then runs the injected decrypted payload of AZORult.

Figure 6. PROPagate code injection

Process Monitoring

Before it connects to the C&C server, it creates two threads for monitoring processes and windows as another anti-analyzing functionality. In these threads it calculates the hash of process name and window name, and compares them with the hard-coded name hash in its payload. If it finds such a process or window, it will terminate the process or window immediately.

Figure 7. Creating threads for monitoring processes and windows

C&C Server

All of the Smoke Loader samples in this campaign use the following URL as their C&C server.


This URL is decrypted from the structure shown in Figure 8. It is an easy algorithm for decrypting the string. The decrypted algorithm in these samples is shown below.

decrypted_byte = not (encrypted_byte xor 0x36 xor 0x04 xor 0xAE xor 0xB8)

Figure 8. Smoke Loader Encrypted URL Structure

Second Stage Malware Execution

There are three ways for Smoke Loader to install the downloaded second stage malware or its plugin.

1.     Fileless method: Maps the downloaded payload into memory and then runs it immediately.

2.     Downloads a DLL and loads it immediately.

3.     Downloada a DLL or EXE file, and registers it as a service with regsvr32.


AZORult used in this campaign is version 3.3. This version was first found in October, 2018. AZORult in this campaign has the same characteristics and nothing has been changed from the previously discovered AZORult version 3.3 samples. We will summarize some of those characteristics in this section.

Information Stealing Functionalities

AZORuly includes functionalities to search through the following applications’ information in victim’s system.

1.     Browser history

2.     Cryptocurrency wallet

3.     Skype

4.     Telegram

5.     Steam

C&C Server

In this campaign, the domain “jma-go[.]jp” is used as the C&C server for the malware.


In AZORult version 3.3, it uses the key buffer and specified weight for the key buffer element to decrypt the encrypted URL. 

Table 3. Key buffer and corresponding weight value array (Both are hexadecimal)

Figure 9 shows an example for decrypting the first character of the domain.

Figure 9. AZORult Encrypted URL and example for decrypting the first character

Second Stage Malware Execution

It then connects to C&C server and try to download the second stage malware. There are two kinds of execution methods: CreateProcessW and ShellExecuteExW. Which one is used depends on the URI extension whether if it is an .exe or not.

Figure 10. 2nd stage malware execution in AZORult

Spread through Different Routes

This campaign uses different routes to spread AZORult.

1.     hxxp://thunderbolt-price[.]com/Art-and-Jakes/Coupon.scr

This site is used an affiliate program for advertising things in Japan, and we found that there is an address to download Coupon.scr, which is malware belonging to AZORult. It is the same file we mentioned earlier with the hash value of: 748c94bfdb94b322c876114fcf55a6043f1cd612766e8af1635218a747f45fb9.

2.     hxxp://

This is the same file we mentioned earlier, with the hash value of: 70900b5777ea48f4c635f78b597605e9bdbbee469b3052f1bd0088a1d18f85d3.

Discovering other Activities

We decided to investigate this case further to try to find the possible actors behind this malicious campaign.

First, we started analyzing the malicious domain “jma-go[.]jp”. When someone directly accesses the malicious website, it redirect the user to the legit JMA website. 

When checking the website redirection script, we observed several comments written in Cyrillic. 

Figure 11. Redirection script found on the malicious website

It's quite interesting that someone left those in the real campaign, so we decided to search for the comments on the Net—and we soon had a hit on one of those: a user with the nickname "vladvo" made a post on one of the Russian forums, asking about redirection and iframe. The code he provided as a solution made by himself exactly matches the redirection code used on the malicious website. Even the comments and spaces are the same. 

Figure 12. Same script posted by “vladvo” user

The only thing the actor changed here was the link in the "window.location" argument. Unfortunately, we cannot be sure that the "vladvo" user is connected to this case. He posted this message on 20.10.2012, so the post is currently 6 years old. It's just as likely that someone just re-usedhis code for the campaign.

After analyzing the script, we then decided to check for the WHOIS information of the malicious domain. Here, we found interesting information that later provided us with details for finding other campaigns possibly run by the same actors.

Figure 13. WHOIS information for jma-go[.]jp

First of all, we found other websites registered using the e-mail referenced in the WHOIS information — lixiaomraz[@]

·       hxxp://www.montepaschi-decreto-gdpr[.]net

·       hxxp://www.posteweb-sicurezza[.]com  

We then found that the first website is already being used in the MPS bank phishing campaign:

Figure 14. Phishing campaign for MPS bank shown with VT Graph

We can assume that the hxxp://www.posteweb-sicurezza[.]com website could also be used in a current or new campaign.

Next, searching in WHOIS history we found five other domains that were registered by the same actor on 09.02.2018:

·       hxxp://www.3djks92lsd[.]biz

·       hxxp://www.38djkf92lsd[.]biz

·       hxxp://www.38djks92lsd[.]biz

·       hxxp://www.348djks92lsd[.]biz

·       hxxp://www.38djks921lsd[.]biz

All the data listed in the older WHOIS entries matches the registrar information listed for jma-go[.]jp: 

Figure 15. WHOIS history for discovered domains

All the websites pretend to look like music, video streaming, or torrent websites. But their real behavior is much different. 

Figure 16. Screenshots of websites registered by lixiaomraz[@]

Once a user tries to download any file from those, they are redirected to other websites, and finally, a legit 7zip 16.02 (1f662cf64a83651238b92d62e23144fd) software installer is downloaded. It looks like the websites still have no payload, or they have already been changed. It is likely that the actor is using 7zip package as a stub for testing their functionality.

Figure 17. Helping the user download and launch the payload

We were able to retrieve several redirection hosts used in the campaign:

·       hxxp://writingspiders[.]xyz

·       hxxp://catsamusement[.]xyz

·       hxxp://oatmealtheory[.]xyz

·       hxxp://canvasporter[.]pw

All of the domains are much younger than the main .biz domains. This could mean that the actor is still developing his new campaign and we could soon observe another malicious activity connected to the 5 websites we found. Unfortunately, the WHOIS information for the redirection domains did not give us any clues as to whether the same actor owns them or if it’s a fresh “partnership” for testing malware spreading techniques.

Besides the possible malware spreading feature, we found other interesting activity happening in the background of the websites. Checking the page source code, a stealthy iframe object has been found. The size of the object is 1x1, hidden in the lower left corner. 

Figure 18. Hidden iframe at hxxp://www.38djks92lsd[.]biz

As we can see, the iframe object contains a link to a YouTube video player. Besides that, the autoplay feature is turned on. That means the video is stealthy played in the background. This technique is often used for “black” methods of promoting videos and increasing view counts. Besides the link to YouTube, several iframes to Twitter and Facebook were also observed.

As the five websites we discovered are, obviously, not crowded with users, it’s quite strange to see those promotion techniques being used. So possible alternative explanations for such activity are that the campaign has just started. or the actors are using the domains as a testing environment. 

Apart from the domains we stated, two other websites registered by “Kupriushin Anton” were found:

·       hxxp://Craigslist[.]business

·       hxxp://Craiglist[.]news

The websites are currently unavailable, but it’s obvious that the actor tried to disguise the name of popular Craigslist website.

To summarize, we can say that the actor is quickly developing and changing his tools and trying to profit from different methods of malicious activity.


FortiGuard Labs has monitored this fake tsunami alert campaign since November and researched the possible actor or actors behind the campaign. 

We found that the downloaded malware used In the campaign for infecting victims and stealing information changed to make it more efficient, switching from Smoke Loader to AZORult.

At the same time, we have detected that the fake JMA site registrant also creates other sites for different phishing or malicious campaigns.

FortiGuard Lab will continue to monitor all of these domains and research for the actors behind them.


Fortinet users are protected from malicious threats mentioned above with the following solutions:

·       Files are detected by FortiGuard Antivirus

·       Malicious and Phishing URLs are blocked by our FortiGuard Web Filtering Service



27aa9cdf60f1fbff84ede0d77bd49677ec346af050ffd90a43b8dcd528c9633b - W32/Kryptik.GMMP!tr

42fdaffdbacfdf85945bd0e8bfaadb765dde622a0a7268f8aa70cd18c91a0e85 - W32/Kryptik.GMOP!tr

fb3def9c23ba81f85aae0f563f4156ba9453c2e928728283de4abdfb5b5f426f - W32/Kryptik.GMVI!tr

70900b5777ea48f4c635f78b597605e9bdbbee469b3052f1bd0088a1d18f85d3 - W32/GenKryptik.CSCS!tr

a1ce72ec2f2fe6139eb6bb35b8a4fb40aca2d90bc19872d6517a6ebb66b6b139 - W32/Generik.CMTJTLW!tr

7337143e5fb7ecbdf1911e248d73c930a81100206e8813ad3a90d4dd69ee53c7 -            


748c94bfdb94b322c876114fcf55a6043f1cd612766e8af1635218a747f45fb9 - W32/Generik.JKNHTRB!tr

Donwloaded URLs:

hxxp://www.jma-go[.]jp/jma/tsunami/tsunami_regions.scr - Malware

hxxp://jma-go[.]jp/jma/tsunami/1.exe – Malware

hxxp://thunderbolt-price[.]com/Art-and-Jakes/Coupon.scr – Malware

hxxp://bite-me.wz[.]cz/1.exe – Malware


hxxp://jma-go[.]jp/js/metrology/jma.php - Malicious

hxxp://www.jma-go[.]jp/java/java9356/index.php - Malicious

Other URLs:

hxxp://montepaschi-decreto-gdpr[.]net/ - Phishing

hxxp://montepaschi-decreto-gdpr[.]net/procedura-per-sblocco-temporaneo-decreto/conferma_dati.html – Phishing

hxxp://certificazione.portalemps[.]com/ - Phishing

hxxp://certificazione.portalemps[.]com/verifica-conto/ - Phishing

hxxp://Craigslist[.]business - Phishing

hxxp://Craiglist[.]news – Phishing

hxxp://www.3djks92lsd[.]biz - Phishing

hxxp://www.38djkf92lsd[.]biz - Phishing

hxxp://www.38djks92lsd[.]biz - Phishing

hxxp://www.348djks92lsd[.]biz - Phishing

hxxp://www.38djks921lsd[.]biz - Phishing

hxxp://writingspiders[.]xyz - Malicious

hxxp://catsamusement[.]xyz - Malicious

hxxp://oatmealtheory[.]xyz - Malicious

hxxp://canvasporter[.]pw - Malicious

-= FortiGuard Lion Team =-

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.