Yoroi-CybazeZLab: a cybercrime group, dubbed “Sload-ITA” (aka TH-163), has targeted Italy with a malspam campaign for cyber espionage. Using TTPs similar to those recently employed by Russian hackers of APT29 (Cozy Bear) against US targets
A cybercrime group has hitting Italy with a campaign of malspam for cyber espionage. The Certego and CERT-PA cyber security experts discovered it. Then, Yoroi – Cybaze ZLab performed further analysis, dubbing it “Sload-ITA” (aka TH-163). It is unclear whether it is the work of a pre-existing cyber criminals team, which has changed its tactics, techniques and procedures (TTP), or a new group of malicious hackers. What is certain, however, is that cyberattacks have patterns similar to some cyber aggression against targets in the United Kingdom, documented by SANS ICS researchers last May. Moreover, the links inside the emails sent to the victims have been “armed” in a similar way to the ones used by the Russian state hackers APT29 (aka Cozy Bear, Office Monkeys, CozyCar, The Dukes and CozyDuke) in recent cyber attacks on US entities.
The malware used by cyber criminals serves for cyber espionage actions. Here is what he is capable of
Also in this case, as in the recent attacks in Italy directed against the Public Administration linked to the Interministerial Committee for the Security of the Republic (CISR), the objective of the malicious actors is cyber espionage. Yoroi – Cybaze ZLab, has indeed found that malware used by cyber criminals has very specific characteristics and capabilities. First, it collects information about the victim’s machine. From domains to DNS cache, through processes, IP and system architecture. Also, periodically capture screenshots of the desktops, search for the Microsoft Outlook folder and information about the presence of “* .ICA” Citrix files in the user directory. The information is sent to the command and control server (C2). Subsequently, the attacker sends an additional powershell code. This behavior is a feature of malware Trojans / Spyware, often used as a bridgehead for reconnaissance of compromised hosts. Moreover, potentially even in the early stages of more complex cyber attacks.