Google Threat Analysis Group: They use multiple platforms to communicate, a blog as a lure, and a novel social engineering technique.
CSE Cybsec ZLab : The cybercrime has targeted Italy with the Necurs Botnet and a variant of the Ursnif banking trojan starting from 6th of June
The cybercrime has targeted Italy with the Necurs Botnet and a variant of the Ursnif banking trojan. It has been discvovered by cyber security researchers from CSE Cybsec ZLab. Starting from 6th June, a new version of the malware hit Italian companies. It’s well known, as it was the most active malware code in the financial sector in 2016 and the trend continued through 2017 to date. The malware is able to steal users’ credentials, credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites. The version that is spreading in Italy presents many improvements. The attachment used in this malicious campaign is a weaponized Microsoft Word document, that lay on a social engineering technique to trick users into enabling macros in order to allow the correct view of its content.
The domains involved in the phishing campaign against the Italian companies are linked to the Necurs Botnet
Ursnif once infected a new machine in Italy will attempt to spread to any other users in the address book of the compromised email accounts. In order to trick the victim into opening the malicious email, the message is presented as the reply to an existing conversation conducted by the victim in the past. While investigating the domains involved in the last phishing campaign against the Italian companies, the researchers discovered many of them were registered by the same email address, “whois-protect[@]hotmail[.]com.” This email address is directly connected to infamous Necurs Botnet, the malicious architecture that was used in the past months to push many other malware, including Locky, Jaff, GlobeImposter, Dridex , Scarab and the Trickbot.