Proofpoint researchers reported that TA544 risk actors are behind a brand new Ursnif marketing campaign that’s concentrating on Italian organizations.
Proofpoint researchers have found a brand new Ursnif baking Trojan marketing campaign carried out by a gaggle tracked as TA544 that’s concentrating on organizations in Italy.
The specialists noticed almost 20 notable campaigns distributing lots of of 1000’s of malicious messages concentrating on Italian organizations.
TA544 is a financially motivated risk actor that’s energetic at the very least since 2017, it focuses on assaults on banking customers, it leverages banking malware and different payloads to focus on organizations worldwide, primarily in Italy and Japan.
Consultants identified that within the interval between January and August 2021, the variety of noticed Ursnif campaigns impacting Italian organizations was handled that the whole variety of Ursnif campaigns concentrating on Italy in all of 2020.
The TA544 group leverages phishing and social engineering methods to lure victims into enabling macro included in weaponized paperwork. Upon enabling the macro, the an infection course of will begin.
In the latest assaults towards Italian organizations, the TA544 group posed as an Italian courier or power group that’s soliciting funds from the victims. The spam messages use weaponized workplace paperwork to drop the Ursnif banking Trojan within the remaining stage.
“Within the noticed campaigns, TA544 typically makes use of geofencing methods to detect whether or not recipients are in focused geographic areas earlier than infecting them with the malware. For instance, in current campaigns, the doc macro generates and executes an Excel 4 macro written in Italian, and the malware conducts location checks on the server facet by way of IP handle.” reads the analysis printed by Proofpoint. “If the person was not within the goal space, the malware command and management would redirect to an grownup web site. Up to now in 2021, Proofpoint has noticed almost half one million messages related to this risk concentrating on Italian organizations.”
The group employed file injectors to ship malicious code used to steal delicate info from the victims, similar to fee card knowledge and login credentials.
I’ve contacted Luigi Martire, a senior malware researcher who has investigated with me a number of Ursnif campaigns since 2017.
“Over time, we’ve got seen that the TTPs of the teams behind Ursnif’s risk have barely advanced. After I started finding out this risk, Ursnif campaigns had been extra widespread and fewer focused. The payloads had been scattered throughout poorly focused campaigns. Since 2018, attackers have employed very refined methods of their assaults.
TA544 used a more complex attack chain composed of a number of phases and that leveraged Powershell and steganography.” Martire instructed me. “Nevertheless, over the previous couple of years, the Ursnif campaigns have been more and more focused. Risk actors additionally merged basic Macro e Macro 4.0, often known as XLM-Macro, a sort of Microsoft Excel legacy macro which nonetheless works in current variations and which might be nonetheless efficient to keep away from detection.”
Researchers recognized among the high-profile organizations that had been focused by the TA544 group within the newest marketing campaign, under is a listing of focused corporations:
- Banca Sella
- UniCredit Group
The evaluation of the online injects utilized by the group means that the risk actors had been additionally all for steal credentials for web sites related to main retailers.
“Right now’s threats – like TA544’s campaigns concentrating on Italian organizations – goal individuals, not infrastructure.” concludes the report. “That’s why it’s essential to take a people-centric strategy to cybersecurity. That features user-level visibility into vulnerability, assaults and privilege and tailor-made controls that account for particular person person threat.”
(SecurityAffairs – hacking, Ursnif)