Security researchers detected an Ursnif campaign that leveraged a new infection chain to target users based in Italy.
Cybaze-Yoroi Zlab observed that the Ursnif campaign began with a phishing email containing an attached Microsoft Word document. Once clicked, this file prompted users to enter a password so they could view its contents. The decision to use a password-protected file helped the campaign avoid detection. Indeed, its detection rate was zero at the time of discovery.
Ursnif’s History of Targeting Italy
Ursnif has a long history of preying upon Italian users. Back in August 2018, for instance, Trend Micro detected a campaign in which attackers used a fake receipt as a lure to trick users into opening an email attachment containing the Trojan.
In July 2019, Proofpoint picked up high-volume campaigns in which malicious actors targeted victims across Italy, Western Europe and Japan with samples of the Ursnif banking Trojan and URLZone. That was just a few months before Infoblox spotted attackers targeting Italy and Germany with the malware.
Defend Against an Ursnif Campaign
Security professionals can help their organizations defend against an Ursnif campaign by conducting simulated phishing attacks on an ongoing basis. Such exercises will help strengthen the workforce’s familiarity with and preparedness against email-based attacks.
Additionally, infosec personnel should conduct regular reviews of their organization’s security controls, especially backup and restoration capabilities, to make sure they can recover from a ransomware attack initiated by a phishing email.