TA544 group behind a spike in Ursnif malware campaigns targeting Italy

Pierluigi Paganini October 03, 2021

Proofpoint researchers reported that TA544 threat actors are behind a new Ursnif campaign that is targeting Italian organizations.

Proofpoint researchers have discovered a new Ursnif baking Trojan campaign carried out by a group tracked as TA544 that is targeting organizations in Italy.

The experts observed nearly 20 notable campaigns distributing hundreds of thousands of malicious messages targeting Italian organizations.

TA544 is a financially motivated threat actor that is active at least since 2017, it focuses on attacks on banking users, it leverages banking malware and other payloads to target organizations worldwide, mainly in Italy and Japan.

Experts pointed out that in the period between January and August 2021, the number of observed Ursnif campaigns impacting Italian organizations was treated that the total number of Ursnif campaigns targeting Italy in all of 2020.

The TA544 group leverages phishing and social engineering techniques to lure victims into enabling macro included in weaponized documents. Upon enabling the macro, the infection process will start.

In the most recent attacks against Italian organizations, the TA544 group posed as an Italian courier or energy organization that is soliciting payments from the victims. The spam messages use weaponized office documents to drop the Ursnif banking Trojan in the final stage.

Ursnif TA544

“In the observed campaigns, TA544 often uses geofencing techniques to detect whether recipients are in targeted geographic regions before infecting them with the malware. For example, in recent campaigns, the document macro generates and executes an Excel 4 macro written in Italian, and the malware conducts location checks on the server side via IP address.” reads the analysis published by Proofpoint. “If the user was not in the target area, the malware command and control would redirect to an adult website. So far in 2021, Proofpoint has observed nearly half a million messages associated with this threat targeting Italian organizations.”

The group employed file injectors to deliver malicious code used to steal sensitive information from the victims, such as payment card data and login credentials.

I have contacted Luigi Martire, a senior malware researcher who has investigated with me multiple Ursnif campaigns since 2017.

“Over the years, we have seen that the TTPs of the groups behind Ursnif’s threat have slightly evolved. When I began studying this threat, Ursnif campaigns were more widespread and less targeted. The payloads were scattered across poorly targeted campaigns. Since 2018, attackers have employed very sophisticated techniques in their attacks.
TA544 used a more complex attack chain composed of multiple stages and that leveraged Powershell and steganography.” Martire told me. “However, over the last few years, the Ursnif campaigns have been increasingly targeted. Threat actors also merged classic Macro e Macro 4.0, also known as XLM-Macro, a type of Microsoft Excel legacy macro which still works in recent versions and that are still effective to avoid detection.”

Researchers identified some of the high-profile organizations that were targeted by the TA544 group in the latest campaign, below is a list of targeted companies:

  • IBK
  • BNL
  • ING
  • eBay
  • PayPal
  • Amazon
  • CheBanca!
  • Banca Sella
  • UniCredit Group

The analysis of the web injects used by the group suggests that the threat actors were also interested in steal credentials for websites associated with major retailers.

“Today’s threats – like TA544’s campaigns targeting Italian organizations – target people, not infrastructure.” concludes the report. “That’s why you must take a people-centric approach to cybersecurity. That includes user-level visibility into vulnerability, attacks and privilege and tailored controls that account for individual user risk.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ursnif)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment