Yoroi-ZLab: Cybercrime targeted Italian speaking victims with Netwire, and the infosteales campaign shows similarities with techniques adopted in recent operations against italian manufacturing sector
Italian speaking victims are targeted by cybercrime with Netwire infostealer. It has been discovered by Cybaze/Yoroi-ZLab cyber security experts. The particular chain of attack showed interesting technical patterns resembling other previous activities targeting the Italian manufacturing landscape. The variant used in this campaign is similar to other samples of the NetWire malware family but has an evolution of the attack chain. The malware is delivered as a malicious email attachment with XML macro embedded into it. Once opened, the Excel file looks like a document with some dynamic elements but hasn’t some clickable buttons. There, the classical security notice informs us that macros are contained in the document and are disabled. They are quite minimal and do not contain dead code or other anti-analysis technique, a part of the random looking variable naming.
The cyber security experts: How the malware infection chain works