March 18, 2020 By David Bisson 2 min read

Security researchers detected an Ursnif campaign that leveraged a new infection chain to target users based in Italy.

Cybaze-Yoroi Zlab observed that the Ursnif campaign began with a phishing email containing an attached Microsoft Word document. Once clicked, this file prompted users to enter a password so they could view its contents. The decision to use a password-protected file helped the campaign avoid detection. Indeed, its detection rate was zero at the time of discovery.

Upon receiving the correct password, the operation continued its infection by enabling the execution of a batch file that contained junk numbers inside the code. This file consisted of a script that created another file called “pinumber.vbs” and used a compromised Italian law-themed website as a DropURL to download a self-extracting archive. The contents of that file ultimately triggered the execution of a JavaScript module containing two embedded payloads, including an executable that infected the computer with Ursnif malware.

Ursnif’s History of Targeting Italy

Ursnif has a long history of preying upon Italian users. Back in August 2018, for instance, Trend Micro detected a campaign in which attackers used a fake receipt as a lure to trick users into opening an email attachment containing the Trojan.

In July 2019, Proofpoint picked up high-volume campaigns in which malicious actors targeted victims across Italy, Western Europe and Japan with samples of the Ursnif banking Trojan and URLZone. That was just a few months before Infoblox spotted attackers targeting Italy and Germany with the malware.

Defend Against an Ursnif Campaign

Security professionals can help their organizations defend against an Ursnif campaign by conducting simulated phishing attacks on an ongoing basis. Such exercises will help strengthen the workforce’s familiarity with and preparedness against email-based attacks.

Additionally, infosec personnel should conduct regular reviews of their organization’s security controls, especially backup and restoration capabilities, to make sure they can recover from a ransomware attack initiated by a phishing email.

More from

How cyber criminals are compromising AI software supply chains

3 min read - With the adoption of artificial intelligence (AI) soaring across industries and use cases, preventing AI-driven software supply chain attacks has never been more important.Recent research by SentinelOne exposed a new ransomware actor, dubbed NullBulge, which targets software supply chains by weaponizing code in open-source repositories like Hugging Face and GitHub. The group, claiming to be a hacktivist organization motivated by an anti-AI cause, specifically targets these resources to poison data sets used in AI model training.No matter whether you use…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today