Proofpoint researchers have uncovered a new Ursnif Banking Trojan campaign conducted by a group known as TA544 that is hitting companies in Italy.
The specialists discovered nearly 20 significant operations delivering hundreds of thousands of harmful emails targeting Italian companies.
TA544 is a commercially driven threat actor who has been active since at least 2017. It specializes in cyberattacks on financial users, using banking malware and other payloads to target companies worldwide, mainly Japanese and Italian.
Experts have pointed out that between January and August of 2021, the observed Ursnif campaigns hitting Italian organizations were considered the total Ursnif campaigns aiming at Italy in 2020.
The TA544 group uses phishing and social engineering tactics to trick people into enabling macros in weaponized documents. The infection procedure begins once the macro is enabled.
The TA544 gang pretended to be an Italian courier or energy company in recent cyberattacks against Italian organizations, requesting payments from the victims. In the last stage, the spam mails employ weaponized office documents to drop the Ursnif financial Trojan.
Investigations revealed that the gang leveraged file injectors to transmit malicious code to the victims, which was used to steal sensitive information such as payment card details and login passwords.
Researchers discovered that the most recent campaigns by the TA544 gang had targeted some high-profile organizations. Here are the targets:
- IBK
- BNL
- ING
- eBay
- PayPal
- Amazon
- CheBanca!
- Banca Sella
- UniCredit Group
According to a study of the web injects used by the group, the threat actors were also interested in stealing credentials for websites linked with large merchants.