securityaffairs.co Open in urlscan Pro
2001:8d8:100f:f000::289  Public Scan

URL: https://securityaffairs.co/wordpress/122875/malware/ta544-ursnif-campaigns-italy.html?utm_source=rss&utm_medium=rss&utm_cam...
Submission: On October 04 via api from GB — Scanned from DE

Form analysis 1 forms found in the DOM

Name: searchformGET https://securityaffairs.co/wordpress/

<form role="search" method="get" name="searchform" id="searchform" action="https://securityaffairs.co/wordpress/">
  <div>
    <input type="text" value="" name="s" id="s" autocomplete="off" title="Search..." class="blur">
    <button type="submit">
      <i class="fa fa-search"></i>
    </button>
  </div>
  <div id="autocomplete"></div>
</form>

Text Content

 * Home
 * Cyber Crime
 * Cyber warfare
 * APT
 * Data Breach
 * Deep Web
 * Digital ID
 * Hacking
 * Hacktivism
 * Intelligence
 * Internet of Things
 * Laws and regulations
 * Malware
 * Mobile
 * Reports
 * Security
 * Social Networks
 * Terrorism
 * ICS-SCADA
 * EXTENDED COOKIE POLICY
 * Contact me


MUST READ

Headlines
 * TA544 group behind a spike in Ursnif malware campaigns targeting Italy
 * CVE-2021-38647 OMIGOD flaw impacts IBM QRadar Azure
 * Security Affairs newsletter Round 334
 * The Biden administration will work with 30 countries to curb global
   cybercrime
 * Threat actors exploit a flaw in Coinbase 2FA to steal user funds
 * Flubot Android banking Trojan spreads via fake security updates



 * Home
 * Cyber Crime
 * Cyber warfare
 * APT
 * Data Breach
 * Deep Web
 * Digital ID
 * Hacking
 * Hacktivism
 * Intelligence
 * Internet of Things
 * Laws and regulations
 * Malware
 * Mobile
 * Reports
 * Security
 * Social Networks
 * Terrorism
 * ICS-SCADA
 * EXTENDED COOKIE POLICY
 * Contact me


TA544 GROUP BEHIND A SPIKE IN URSNIF MALWARE CAMPAIGNS TARGETING ITALY

October 3, 2021  By Pierluigi Paganini


Powered by pixfutureⓘ


PROOFPOINT RESEARCHERS REPORTED THAT TA544 THREAT ACTORS ARE BEHIND A NEW URSNIF
CAMPAIGN THAT IS TARGETING ITALIAN ORGANIZATIONS.

Proofpoint researchers have discovered a new Ursnif baking Trojan campaign
carried out by a group tracked as TA544 that is targeting organizations in
Italy.

Powered by pixfutureⓘ

The experts observed nearly 20 notable campaigns distributing hundreds of
thousands of malicious messages targeting Italian organizations.

TA544 is a financially motivated threat actor that is active at least since
2017, it focuses on attacks on banking users, it leverages banking malware and
other payloads to target organizations worldwide, mainly in Italy and Japan.

Experts pointed out that in the period between January and August 2021, the
number of observed Ursnif campaigns impacting Italian organizations was treated
that the total number of Ursnif campaigns targeting Italy in all of 2020.

The TA544 group leverages phishing and social engineering techniques to lure
victims into enabling macro included in weaponized documents. Upon enabling the
macro, the infection process will start.

In the most recent attacks against Italian organizations, the TA544 group posed
as an Italian courier or energy organization that is soliciting payments from
the victims. The spam messages use weaponized office documents to drop the
Ursnif banking Trojan in the final stage.



“In the observed campaigns, TA544 often uses geofencing techniques to detect
whether recipients are in targeted geographic regions before infecting them with
the malware. For example, in recent campaigns, the document macro generates and
executes an Excel 4 macro written in Italian, and the malware conducts location
checks on the server side via IP address.” reads the analysis published by
Proofpoint. “If the user was not in the target area, the malware command and
control would redirect to an adult website. So far in 2021, Proofpoint has
observed nearly half a million messages associated with this threat targeting
Italian organizations.”

The group employed file injectors to deliver malicious code used to steal
sensitive information from the victims, such as payment card data and login
credentials.

I have contacted Luigi Martire, a senior malware researcher who has investigated
with me multiple Ursnif campaigns since 2017.

“Over the years, we have seen that the TTPs of the groups behind Ursnif’s threat
have slightly evolved. When I began studying this threat, Ursnif campaigns were
more widespread and less targeted. The payloads were scattered across poorly
targeted campaigns. Since 2018, attackers have employed very sophisticated
techniques in their attacks.
TA544 used a more complex attack chain composed of multiple stages and that
leveraged Powershell and steganography.” Martire told me. “However, over the
last few years, the Ursnif campaigns have been increasingly targeted. Threat
actors also merged classic Macro e Macro 4.0, also known as XLM-Macro, a type of
Microsoft Excel legacy macro which still works in recent versions and that are
still effective to avoid detection.”

Researchers identified some of the high-profile organizations that were targeted
by the TA544 group in the latest campaign, below is a list of targeted
companies:

 * IBK
 * BNL
 * ING
 * eBay
 * PayPal
 * Amazon
 * CheBanca!
 * Banca Sella
 * UniCredit Group

The analysis of the web injects used by the group suggests that the threat
actors were also interested in steal credentials for websites associated with
major retailers.

“Today’s threats – like TA544’s campaigns targeting Italian organizations –
target people, not infrastructure.” concludes the report. “That’s why you must
take a people-centric approach to cybersecurity. That includes user-level
visibility into vulnerability, attacks and privilege and tailored controls that
account for individual user risk.”

Follow me on Twitter: @securityaffairs and Facebook



Pierluigi Paganini

(SecurityAffairs – hacking, Ursnif)


Powered by pixfutureⓘ
Share this...

Facebook
Twitter
Linkedin


SHARE THIS:

 * Twitter
 * Print
 * LinkedIn
 * Facebook
 * More
 * 

 * Tumblr
 * Pocket
 * 
 * 


Banking MalwareCybercrimeHackinghacking newsinformation security newsIT
Information SecuritymalwarePierluigi PaganiniSecurity AffairsSecurity
NewsTA544Ursnif Banking Trojan


--------------------------------------------------------------------------------

SHARE ON

 * 
 * 
 * 
 * 
 * 
 * 
 * 


PIERLUIGI PAGANINI

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and
Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he
is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security
expert with over 20 years experience in the field, he is Certified Ethical
Hacker at EC Council in London. The passion for writing and a strong belief that
security is founded on sharing and awareness led Pierluigi to find the security
blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some
major publications in the field such as Cyber War Zone, ICTTF, Infosec Island,
Infosec Institute, The Hacker News Magazine and for many other Security
magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency
and Bitcoin”.




--------------------------------------------------------------------------------

PREVIOUS ARTICLE

CVE-2021-38647 OMIGOD flaw impacts IBM QRadar Azure


--------------------------------------------------------------------------------





YOU MIGHT ALSO LIKE


CVE-2021-38647 OMIGOD FLAW IMPACTS IBM QRADAR AZURE

October 3, 2021  By Pierluigi Paganini

SECURITY AFFAIRS NEWSLETTER ROUND 334

October 3, 2021  By Pierluigi Paganini






 * SPONSORED CONTENT
   
   
 * 


 * PIXFUTURE


 * DIGGING THE DEEP WEB: EXPLORING THE DARK SIDE OF THE WEB


 * SECURITYAFFAIRS AWARDED AS BEST EUROPEAN CYBERSECURITY TECH BLOG AT EUROPEAN
   CYBERSECURITY BLOGGER AWARDS


 * CENTER FOR CYBER SECURITY AND INTERNATIONAL RELATIONS STUDIES


 * SUBSCRIBE SECURITY AFFAIRS NEWSLETTER




More Story

CVE-2021-38647 OMIGOD FLAW IMPACTS IBM QRADAR AZURE

Experts warn that CVE-2021-38647 OMIGOD flaws affect IBM QRadar Azure and can be
exploited by remote attackers to execute...
Copyright 2021 Security Affairs by Pierluigi Paganini All Right Reserved.
Back to top
 * Home
 * Cyber Crime
 * Cyber warfare
 * APT
 * Data Breach
 * Deep Web
 * Digital ID
 * Hacking
 * Hacktivism
 * Intelligence
 * Internet of Things
 * Laws and regulations
 * Malware
 * Mobile
 * Reports
 * Security
 * Social Networks
 * Terrorism
 * ICS-SCADA
 * EXTENDED COOKIE POLICY
 * Contact me

This site uses cookies, including for analytics, personalization, and
advertising purposes. For more information or to change your cookie settings,
click here.

If you continue to browse this site without changing your cookie settings, you
agree to this use.
Accept Read More
Privacy and Cookies Policy
Close

PRIVACY OVERVIEW

This website uses cookies to improve your experience while you navigate through
the website. Out of these cookies, the cookies that are categorized as necessary
are stored on your browser as they are essential for the working of basic
functionalities...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
This category only includes cookies that ensures basic functionalities and
security features of the website. These cookies do not store any personal
information.
Non-necessary
Non-necessary
Any cookies that may not be particularly necessary for the website to function
and is used specifically to collect user personal data via analytics, ads, other
embedded contents are termed as non-necessary cookies. It is mandatory to
procure user consent prior to running these cookies on your website.
SAVE & ACCEPT