The attachment of an email about a fake shipment, if opened, contacts a link from which the malware is downloaded. The data is then exfiltrated via SMTP.
The cybercrime offensive to distribute Ursnif in Italy is evolving. Cyber security expert JAMESWT discovers a new campaign, the same as the last ones on the technical side, but with a different bait email
The cybercrime offensive to distribute Ursnif in Italy is evolving. Cyber security researcher JAMESWT has discovered a new malspam campaign related to malware, which however presents a new feature compared to the previous ones. The text of the email has changed, which no longer refers to the Revenue Agency, but to the confirmation of an online order paid by credit card. In addition, the text has several macro syntax errors unlike in the past. On a technical level, however, it is identical to the last. The attachments (excel files) and the links from which the malicious code is downloaded point to two different URLs (in the past to a single one); in addition, every two or three hours the executable is renewed so as not to be detected by antivirus. The ever shorter interval between campaigns confirms that they will continue, varying only slightly as seen with the last one. This, however, maintains control of the IP which establishes whether the machine is in Italy or not and “decides”, consequently, whether or not to activate the infection chain.