A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

Security experts from D3Lab have uncovered a new COVID-19-themed phishing campaign that is targeting the users of the Italian National Institute for Social Security (INPS). Like a previous campaign observed in early April, threat actors set up a fake INPS site used (“inps-it[.]top”) to trick victims into downloading a malicious app.

“A new Phishing campaign against INPS users , similar to the previous one of April 6, 2020 , has been detected in the past few hours by our research and analysis center for Phishing campaigns.” reads the post published D3Lab.

“The fraudulent activity is carried out through a web domain created Ad Hoc with similarities, in the name, to the official one of the national social security institution with the intent to download malware to users interested in receiving the Covid-19 allowance allocated from the Italian state.”

D3Lab reported its findings to the Italian CERT-AGID that published a security advisory.

Cybercriminals are attempting to take advantage of the Covid-19 indemnity that the Italian government will give to some Italian citizens with specific requirements.

The citizens have to request the Covid-19 indemnity to the goverment through the INPS portal, for this reason, threat actors set up a fake INPS site asking people to download a phantom “application for the new COVID-19 indemnity” which actually returns a malicious APK for Android devices..

The malicious APT, named “acrobatreader.apk,” is a Trojan-Banker malware that is able to monitor the actions performed by the user.

The malware asks users to enable the accessibility service in order to take advantage of the legitimate functions of this service and achieve wider access to the system APIs to communicate with other apps on the device.

“As soon as the presence of connectivity is detected, an HTTP POST request is sent to C2 through the following url ” http: // greedyduck [.] Top / gate [.] Php ” passing two parameters:

• ” Action “: with botcheck or injcheck values ;
• ” Data “: information collected and passed in encrypted form (RC4).”

The CERT-AGID published the Indicators of Compromise (IoCs) here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]