A recently discovered malware campaign has been uncovered, and they are utilizing the Ursnif Trojan for attacking Italian organizations. A few months before this latest threat attack, Ursnif malware was used against almost a hundred banks across the Italian countryside.
The Ursnif Trojan Malware, also known as Gozi, Dreambot, and IFSB, is a high-risk trojan-type virus developed to record various sensitive and confidential information. This virus usually infiltrates systems without permission since the threat authors rapidly increase its volume using spam email campaigns.
Who is responsible for these recent Italy-based threat campaigns?
A team of researchers identified the actors as the infamous TA544. A cybercriminal threat attacker disseminates banking malware and other payloads in various locations, notably in Japan and Italy.
The responsible researcher also noted that they have observed twenty separate threat campaigns multiplying hundreds of thousands of malicious emails directly pointed at Italian organizations this year alone. In the threat attack, TA544 disguised themselves as an Italian organization courier company or an agency based in the energy department that asks for payments from the targeted users.
Also, the Ursnif campaign infected several sites utilizing web injects and redirections once the payload was already installed on the compromised machines. The identified web injects can loot credentials from numerous sites and online services used by the Italians.
The Ursnift Trojan also targeted login portals of many sites, including eBay, PayPal, CheBanca, BNL, and many more.
Finally, the researchers pointed out that almost half a million messages have been witnessed targeting Italian organizations, setting up Ursnif as the most frequently observed malware that targets this part of the globe. The emails are loaded with malicious MS Office documents, including macros. If the victim enables macros by any chance, the record will release Ursnif on the compromised machine.
In selected cases of these campaigns, the threat actors employ geofencing tactics to ensure that the receiver is in the targeted region.
Conclusion
The threat actors dubbed TA544’s campaign has been working since the past year and currently target Italian citizens with Ursnif Trojan. Also, organizations are advised to remain alert and teach employees to identify malicious emails. Furthermore, be sure that macros are only enabled to employees that need them.
