JAMESWT: Cybercrime is spreading Zloader in Italy via fake fax messages. Clicking the malicious attachment starts, the chain of infection is activated
Cybercrime is spreading Zloader in Italy with a new malspam campaign. It has been discovered by the cyber security expert JAMESWT. The message, probably compiled using an automatic translator as many language and syntaxes errors are presents, refers to a fax sent theoretically by HelloFax Italia. Then, users are invited to open the attached fax (an Excel file). The problem is that clicking on the file, victims activate the malware infection chain. It’s a banking trojan, that exploits webinjects to steal credentials and private information from users or targeted financial institutions. It can also steal passwords and cookies stored in victim’s web browsers. According to Proofpoint, with the stolen information, the malware can use the VNC (Virtual Network Computing) client it downloads to allow threat actors to connect to the victim’s system and make illicit financial transactions from the banking user’s legitimate device.
The cyber security expert: the victim, as one of the last Ursnif campaign against Italy, can download the malware jost once. Then, he’s banned
According the cyber security researcher, victims can download Zloader just once, as it’s happening with one of the las Ursnif campaign against Italy, then he’s banned. If the user opens the attached fax, it download a dll from a malicious site. Then this one is executed, infecting the targeted system with the malware.