March 18, 2020 By David Bisson 2 min read

Security researchers detected an Ursnif campaign that leveraged a new infection chain to target users based in Italy.

Cybaze-Yoroi Zlab observed that the Ursnif campaign began with a phishing email containing an attached Microsoft Word document. Once clicked, this file prompted users to enter a password so they could view its contents. The decision to use a password-protected file helped the campaign avoid detection. Indeed, its detection rate was zero at the time of discovery.

Upon receiving the correct password, the operation continued its infection by enabling the execution of a batch file that contained junk numbers inside the code. This file consisted of a script that created another file called “pinumber.vbs” and used a compromised Italian law-themed website as a DropURL to download a self-extracting archive. The contents of that file ultimately triggered the execution of a JavaScript module containing two embedded payloads, including an executable that infected the computer with Ursnif malware.

Ursnif’s History of Targeting Italy

Ursnif has a long history of preying upon Italian users. Back in August 2018, for instance, Trend Micro detected a campaign in which attackers used a fake receipt as a lure to trick users into opening an email attachment containing the Trojan.

In July 2019, Proofpoint picked up high-volume campaigns in which malicious actors targeted victims across Italy, Western Europe and Japan with samples of the Ursnif banking Trojan and URLZone. That was just a few months before Infoblox spotted attackers targeting Italy and Germany with the malware.

Defend Against an Ursnif Campaign

Security professionals can help their organizations defend against an Ursnif campaign by conducting simulated phishing attacks on an ongoing basis. Such exercises will help strengthen the workforce’s familiarity with and preparedness against email-based attacks.

Additionally, infosec personnel should conduct regular reviews of their organization’s security controls, especially backup and restoration capabilities, to make sure they can recover from a ransomware attack initiated by a phishing email.

More from

White House cements CISA’s role as national coordinator for cybersecurity

2 min read - In 2013, the Obama Administration rolled out "The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience", a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created "to strengthen and maintain secure, functioning and resilient critical infrastructure."The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024, President…

How a new wave of deepfake-driven cybercrime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit.Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries.Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break into customer…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today