Proofpoint computer security researchers have discovered a new malware campaign in which malicious actors from a group called TA544 target organizations in Italy with the Ursnif banking Trojan.
Ursnif (also known as Gozi) has a habit of targeting Italian organizations over the past year or so. The malware is capable of stealing banking information from targeted computers, including credit card data. On the other hand, its variants offer a variety of payloads including backdoors, spyware, file injectors, etc.
It should also be noted that in August 2017, a researcher reported on a spambot database called “Onliner Spambot” containing the email addresses and clear text passwords of 711 million users around the world. The database has been used to send spam and Ursnif banking trojan to users since 2016.
As for the recent attacks by TA544; According to Selena Larson, senior threat intelligence analyst at Proofpoint, in recently observed campaigns, the group claims to represent Italian messaging or energy organizations to solicit payments from targeted individuals.
The campaign’s modus operandi involves phishing and social engineering techniques such as inducing the victim to download a document file armed with a malicious macro. Once the victim activates the macro, they perform a chain of activities, including the deployment of the Ursnif banking Trojan.
Another notable aspect of this campaign includes TA544 using geolocation techniques to determine the geographic location of its target before infecting its devices with malware.
In a detail blog post, Larson explained that,
In recent campaigns, the document macro generates and runs an Excel 4 macro written in Italian, and the malware performs server-side location checks through an IP address. If the user was not in the target area, the malware command and control would redirect to an adult website.
Additionally, Proofpoint was able to identify some of the leading organizations that have been targeted by TA544. The group used file injectors to implant malicious code in an attempt to steal credit, debit, login credentials and other data from its victims’ web browsers. These targeted businesses included:
- Pay Pal
- Banca Sella
- UniCredit Group
TA544 campaigns targeting Italian organizations – targeting people, not infrastructure. That’s why you need to take a people-centric approach to cybersecurity. This includes user-level visibility into vulnerability, attacks, and privileges, and custom controls that take into account individual user risk, Larson concluded.
Whether you run a large or a small business, you should always be aware of potential security issues. Having a good cybersecurity system, performing regular checks, educating your employees about internet safety, and updating your software frequently is essential. Otherwise, you can lose a lot of money and your customer’s trust. Take care of your business data and internet security – it’s the first step in keeping it up and running.