CyOps Important Security Update: Campaign Targeting Italian Organizations & Entities
By Max Malyutin – Sr. Threat Researcher
As part of CyOps Team’s ongoing efforts to discover emerging threats and vulnerabilities, we just uncovered a Ursnif campaign targeting Italian organizations, entities, and their assets.
The threat actors behind this campaign are abusing an existing Italian company under the name:
BRT Corriere Espresso
While this campaign is currently active, you can rest assured that Cynet360 can detect and prevent this attack executing on Cynet360 protected hosts as long as all the relevant detection and prevention features are enabled.
The entry point infection starts via a phishing email that contains an xlsm (weaponized Microsoft Office document) file that leads to the execution of multi-stage malicious actions.
The Ursnif campaign is directed against targets of Italian origin:
Target: Windows Italy users, IP must be Italian
Impact: Enumerate and collect victim information
Ursnif (aka Gozi/Gozi-ISFB) is an advanced banking trojan that targets financial sectors. It is one of the most active trojans worldwide, and is focused on stealing banking, cloud storage, and email account credentials. Additional capabilities include backdoors, spyware, and file injectors.
TA551 is the threat group associated with Ursnif mass campaign distribution attacks.
The initial execution of the Ursif DLL by the malicious MalDoc:
To maximize the protection and security of your environment and mitigate any Ursnif activity, please make sure to enable both the detection and remediation of the following mechanisms in all scan groups.
The ADT mechanism contains hundreds of behavioral-based security rules. This mechanism monitors the behavior of processes after they are loaded to memory.
Memory Protection Mode allows Cynet to gain visibility to kernel level threats. This mechanism also prevents the EPS from being terminated.