The IT security researchers at Proofpoint have discovered a new malware campaign in which threat actors from a group called TA544 are targeting organizations in Italy with Ursnif banking trojan.
Ursnif (also known as Gozi) has a history of targeting Italian organizations over the past year. The malware is capable of stealing banking information from targeted computers including credit card data. On the other hand, its variants deliver a variety of payloads including backdoors, spyware, file injectors, etc.
It is also worth noting that in August 2017, a researcher reported a spambot database called “Onliner Spambot” containing email addresses and clear-text passwords of 711 million users from around the world. The database was being used to send out spam and Ursnif banking trojan to users since 2016.
As for recent attacks from TA544; according to Proofpoint’s senior threat intelligence analyst Selena Larson, in recently observed campaigns, the group claims to represent Italian courier or energy organizations to solicit payments from targeted individuals.
The campaign’s modus operandi involves phishing and social engineering techniques such as luring the victim into downloading a document file weaponized with a malicious macro. Once the victim enables macro it executes a chain of activities including deployment