securityaffairs.co
Open in
urlscan Pro
2001:8d8:100f:f000::289
Public Scan
URL:
https://securityaffairs.co/wordpress/122875/malware/ta544-ursnif-campaigns-italy.html?utm_source=rss&utm_medium=rss&utm_cam...
Submission: On October 04 via api from GB — Scanned from DE
Submission: On October 04 via api from GB — Scanned from DE
Form analysis
1 forms found in the DOMName: searchform — GET https://securityaffairs.co/wordpress/
<form role="search" method="get" name="searchform" id="searchform" action="https://securityaffairs.co/wordpress/">
<div>
<input type="text" value="" name="s" id="s" autocomplete="off" title="Search..." class="blur">
<button type="submit">
<i class="fa fa-search"></i>
</button>
</div>
<div id="autocomplete"></div>
</form>
Text Content
* Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * EXTENDED COOKIE POLICY * Contact me MUST READ Headlines * TA544 group behind a spike in Ursnif malware campaigns targeting Italy * CVE-2021-38647 OMIGOD flaw impacts IBM QRadar Azure * Security Affairs newsletter Round 334 * The Biden administration will work with 30 countries to curb global cybercrime * Threat actors exploit a flaw in Coinbase 2FA to steal user funds * Flubot Android banking Trojan spreads via fake security updates * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * EXTENDED COOKIE POLICY * Contact me TA544 GROUP BEHIND A SPIKE IN URSNIF MALWARE CAMPAIGNS TARGETING ITALY October 3, 2021 By Pierluigi Paganini Powered by pixfutureⓘ PROOFPOINT RESEARCHERS REPORTED THAT TA544 THREAT ACTORS ARE BEHIND A NEW URSNIF CAMPAIGN THAT IS TARGETING ITALIAN ORGANIZATIONS. Proofpoint researchers have discovered a new Ursnif baking Trojan campaign carried out by a group tracked as TA544 that is targeting organizations in Italy. Powered by pixfutureⓘ The experts observed nearly 20 notable campaigns distributing hundreds of thousands of malicious messages targeting Italian organizations. TA544 is a financially motivated threat actor that is active at least since 2017, it focuses on attacks on banking users, it leverages banking malware and other payloads to target organizations worldwide, mainly in Italy and Japan. Experts pointed out that in the period between January and August 2021, the number of observed Ursnif campaigns impacting Italian organizations was treated that the total number of Ursnif campaigns targeting Italy in all of 2020. The TA544 group leverages phishing and social engineering techniques to lure victims into enabling macro included in weaponized documents. Upon enabling the macro, the infection process will start. In the most recent attacks against Italian organizations, the TA544 group posed as an Italian courier or energy organization that is soliciting payments from the victims. The spam messages use weaponized office documents to drop the Ursnif banking Trojan in the final stage. “In the observed campaigns, TA544 often uses geofencing techniques to detect whether recipients are in targeted geographic regions before infecting them with the malware. For example, in recent campaigns, the document macro generates and executes an Excel 4 macro written in Italian, and the malware conducts location checks on the server side via IP address.” reads the analysis published by Proofpoint. “If the user was not in the target area, the malware command and control would redirect to an adult website. So far in 2021, Proofpoint has observed nearly half a million messages associated with this threat targeting Italian organizations.” The group employed file injectors to deliver malicious code used to steal sensitive information from the victims, such as payment card data and login credentials. I have contacted Luigi Martire, a senior malware researcher who has investigated with me multiple Ursnif campaigns since 2017. “Over the years, we have seen that the TTPs of the groups behind Ursnif’s threat have slightly evolved. When I began studying this threat, Ursnif campaigns were more widespread and less targeted. The payloads were scattered across poorly targeted campaigns. Since 2018, attackers have employed very sophisticated techniques in their attacks. TA544 used a more complex attack chain composed of multiple stages and that leveraged Powershell and steganography.” Martire told me. “However, over the last few years, the Ursnif campaigns have been increasingly targeted. Threat actors also merged classic Macro e Macro 4.0, also known as XLM-Macro, a type of Microsoft Excel legacy macro which still works in recent versions and that are still effective to avoid detection.” Researchers identified some of the high-profile organizations that were targeted by the TA544 group in the latest campaign, below is a list of targeted companies: * IBK * BNL * ING * eBay * PayPal * Amazon * CheBanca! * Banca Sella * UniCredit Group The analysis of the web injects used by the group suggests that the threat actors were also interested in steal credentials for websites associated with major retailers. “Today’s threats – like TA544’s campaigns targeting Italian organizations – target people, not infrastructure.” concludes the report. “That’s why you must take a people-centric approach to cybersecurity. That includes user-level visibility into vulnerability, attacks and privilege and tailored controls that account for individual user risk.” Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, Ursnif) Powered by pixfutureⓘ Share this... Facebook Twitter Linkedin SHARE THIS: * Twitter * Print * LinkedIn * Facebook * More * * Tumblr * Pocket * * Banking MalwareCybercrimeHackinghacking newsinformation security newsIT Information SecuritymalwarePierluigi PaganiniSecurity AffairsSecurity NewsTA544Ursnif Banking Trojan -------------------------------------------------------------------------------- SHARE ON * * * * * * * PIERLUIGI PAGANINI Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”. -------------------------------------------------------------------------------- PREVIOUS ARTICLE CVE-2021-38647 OMIGOD flaw impacts IBM QRadar Azure -------------------------------------------------------------------------------- YOU MIGHT ALSO LIKE CVE-2021-38647 OMIGOD FLAW IMPACTS IBM QRADAR AZURE October 3, 2021 By Pierluigi Paganini SECURITY AFFAIRS NEWSLETTER ROUND 334 October 3, 2021 By Pierluigi Paganini * SPONSORED CONTENT * * PIXFUTURE * DIGGING THE DEEP WEB: EXPLORING THE DARK SIDE OF THE WEB * SECURITYAFFAIRS AWARDED AS BEST EUROPEAN CYBERSECURITY TECH BLOG AT EUROPEAN CYBERSECURITY BLOGGER AWARDS * CENTER FOR CYBER SECURITY AND INTERNATIONAL RELATIONS STUDIES * SUBSCRIBE SECURITY AFFAIRS NEWSLETTER More Story CVE-2021-38647 OMIGOD FLAW IMPACTS IBM QRADAR AZURE Experts warn that CVE-2021-38647 OMIGOD flaws affect IBM QRadar Azure and can be exploited by remote attackers to execute... Copyright 2021 Security Affairs by Pierluigi Paganini All Right Reserved. Back to top * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * EXTENDED COOKIE POLICY * Contact me This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here. If you continue to browse this site without changing your cookie settings, you agree to this use. Accept Read More Privacy and Cookies Policy Close PRIVACY OVERVIEW This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities... Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT