TA544 threat actors hit Italian firms with Ursnif banking trojan

A new malware campaign from a group called TA544 is targeting organizations in Italy with Ursnif banking trojan – Here’s how it works.

The IT security researchers at Proofpoint have discovered a new malware campaign in which threat actors from a group called TA544 are targeting organizations in Italy with Ursnif banking trojan.

Ursnif (also known as Gozi) has a history of targeting Italian organizations over the past year. The malware is capable of stealing banking information from targeted computers including credit card data. On the other hand, its variants deliver a variety of payloads including backdoors, spyware, file injectors, etc.

It is also worth noting that in August 2017, a researcher reported a spambot database called “Onliner Spambot” containing email addresses and clear-text passwords of 711 million users from around the world. The database was being used to send out spam and Ursnif banking trojan to users since 2016.

As for recent attacks from TA544; according to Proofpoint’s senior threat intelligence analyst Selena Larson, in recently observed campaigns, the group claims to represent Italian courier or energy organizations to solicit payments from targeted individuals.

The campaign’s modus operandi involves phishing and social engineering techniques such as luring the victim into downloading a document file weaponized with a malicious macro. Once the victim enables macro it executes a chain of activities including deployment of Ursnif banking trojan.

TA544 threat actors targeting Italian firms with Ursnif banking trojan
Malicious Excel document distributing Ursnif banking trojan (Image: Proofpoint)

Another noteworthy aspect of this campaign includes TA544 using geofencing techniques to determine the geographic location of its target before infecting its devices with malware.

In a detailed blog post, Larson explained that,

In recent campaigns, the document macro generates and executes an Excel 4 macro written in Italian, and the malware conducts location checks on the server-side via IP address. If the user was not in the target area, the malware command and control would redirect to an adult website.

Additionally, Proofpoint was able to identify some of the high-profile organizations that were targeted by TA544. The group used file injectors to plant malicious code in an attempt to steal credit, debit information, login credentials, and other data from web browsers of its victims – These targeted companies included:

  • IBK
  • BNL
  • ING
  • eBay
  • PayPal
  • Amazon
  • CheBanca!
  • Banca Sella
  • UniCredit Group

TA544’s campaigns targeting Italian organizations – target people, not infrastructure. That’s why you must take a people-centric approach to cybersecurity. That includes user-level visibility into vulnerability, attacks, and privilege and tailored controls that account for individual user risk, Larson concluded.

Whether you run a big corporation or a small company, you should always be aware of potential security issues. It’s essential to have a good cybersecurity system, run regular check-ups, educate your employees on internet safety, and update your software frequently. Otherwise, you can lose a lot of money and your client’s trust. Take care of your company’s data and internet security – it’s the first step to keeping it up and running.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts