{"id":6191,"date":"2021-04-01T14:40:58","date_gmt":"2021-04-01T21:40:58","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6191"},"modified":"2024-04-26T13:20:47","modified_gmt":"2024-04-26T20:20:47","slug":"italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/","title":{"rendered":"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan"},"content":{"rendered":"<h3><strong>Author: Christopher Kim<\/strong><\/h3>\n<h3><strong>TLP: WHITE<\/strong><\/h3>\n<p>&nbsp;<\/p>\n<h3>Overview<\/h3>\n<p>On 30 March, Infoblox observed a malspam campaign using an economic support-themed message to lure Italian-speaking victims into opening a malicious attachment that delivers Ursnif, a widely distributed banking trojan. The tactics, techniques, and procedures (TTPs) we observed in this campaign are consistent with recent Ursnif reports.<sup>1<\/sup><\/p>\n<h3>Customer Impact<\/h3>\n<p>Ursnif is a variant of the Gozi banking trojan (first discovered in 2007)<sup>2<\/sup> and is typically spread via phishing emails. Threat actors primarily use this malware for data theft. Its capabilities include:<\/p>\n<ul>\n<li>stealing computer system information, including operating system (OS) versions and running processes,<\/li>\n<li>stealing user credentials related to financial and banking services,<\/li>\n<li>communicating with command and control (C&amp;C) for data exfiltration and to download additional malware components, and<\/li>\n<li>executing backdoor commands from remote attackers.<\/li>\n<\/ul>\n<p>The majority of Ursnif campaigns within the last few months appear to have targeted Italian-speaking users.<sup>3<\/sup><sup>,<\/sup><sup>4<\/sup> Notably, in early March, Avast identified an Ursnif infection that led to over 1,700 stolen credentials from a single payment processor.<sup>5<\/sup><\/p>\n<h3>Campaign Analysis<\/h3>\n<p>The campaign we observed continuously sent spam emails to potential victims for several hours. All emails contained the same message and spoofed the Instituto Nazionale Previdenza Sociale (INPS), Italy\u2019s social security administration. Email subject lines consisted of one generic Italian word followed by a string of random digits (4-10 characters long), such as <em>Aggiornamento {digits}<\/em>, <em>PROPOSTA {digits}<\/em>, and <em>Licenza {digits}<\/em>.<\/p>\n<p>The email message was also written in Italian and informed recipients that they were qualified for economic support under legislative decree number 148 as a response to the ongoing pandemic. All messages included the same password &#8211; <em>allegato21<\/em> &#8211; and instructed recipients to use it to unlock the password- protected attachment and fill out the embedded application.<\/p>\n<p>This campaign also used compromised email accounts, as well as generic from names (e.g. <em>help<\/em>, <em>contact,<\/em> <em>members<\/em>) to send the messages.<\/p>\n<h3>Attack Chain<\/h3>\n<p>In one of the emails, we found a Microsoft Excel document named <em>lista_575.xlsb<\/em> after extracting the ZIP file attachment with the password contained in the email message.<\/p>\n<p>When we executed the spreadsheet, the macro embedded in the document downloaded a dynamic-link library (DLL) file and wrote it to <em>C:\\Users\\Admin\\AppData\\Local\\Temp\\signin.jpg.dll<\/em>. The actors behind this campaign used geofencing6 to limit the distribution of the DLL payload to only users geolocated in Italy. After this, the macro executed the DLL with the Windows program, <em>RegSvr32.exe<\/em>.<\/p>\n<p>Next, Ursnif spawned a new explorer.exe process and injected its code into it. This rogue process then injected itself into the legitimate <em>explorer.exe<\/em>, which allowed Ursnif to run credential stealing functions. Ursnif then formatted the stolen information into key-value pairs that included various identifiers, such as software, version, user, server, and ID.<\/p>\n<p>The malware encrypted the key-value pair string into ciphertext, and then encoded it with base64. Finally, it appended the .dwg file extension to the encrypted string and submitted it to the C&#038;C server over HTTP.<\/p>\n<h3>Vulnerabilities &#038; Mitigation<\/h3>\n<p>Infoblox recommends the following to reduce the risk of this type of infection:<\/p>\n<ul>\n<li>Ursnif spawns its own explorer.exe and injects its code into it. This is unusual behavior for a legitimate application and a well-performing security tool should flag this process behavior.<\/li>\n<li>Be cautious of emails that provide plain text passwords in the message to open attachments.<\/li>\n<li>Subscribe to Infoblox threat feeds that contain curated C&#038;C domains. This data can be coupled with DNS Response Policy Zones (DNS RPZ) to disrupt malicious C&#038;C communications.<\/li>\n<li>Monitor firewall logs for unusual HTTP requests. Ursnif HTTP POST traffic contains unusually long and high entropy uniform resource identifiers (URI) since the malware sends stolen data via encrypted HTTP parameters.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-115.jpg\" alt=\"\" width=\"591\" height=\"712\" class=\"aligncenter size-full wp-image-6575\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-115.jpg 591w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-115-249x300.jpg 249w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\" \/><\/p>\n<h3><strong>Endnotes<\/strong><\/h3>\n<ol>\n<li><a href=\"https:\/\/success.trendmicro.com\/solution\/000283513\">https:\/\/success.trendmicro.com\/solution\/000283513<\/a><\/li>\n<li><a href=\"https:\/\/www.zdnet.com\/article\/gozi-virus-mastermind-ordered-to-pay-7-million-in-damages\/\">https:\/\/www.zdnet.com\/article\/gozi-virus-mastermind-ordered-to-pay-7-million-in-damages\/<\/a><\/li>\n<li><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/new-variant-of-ursnif-continuously-targeting-italy\">https:\/\/www.fortinet.com\/blog\/threat-research\/new-variant-of-ursnif-continuously-targeting-italy<\/a><\/li>\n<li><a href=\"https:\/\/www.zdnet.com\/article\/ursnif-trojan-has-targeted-over-100-italian-banks\/\">https:\/\/www.zdnet.com\/article\/ursnif-trojan-has-targeted-over-100-italian-banks\/<\/a><\/li>\n<li><a href=\"https:\/\/blog.avast.com\/ursnif-victim-data\">https:\/\/blog.avast.com\/ursnif-victim-data<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: Christopher Kim TLP: WHITE &nbsp; Overview On 30 March, Infoblox observed a malspam campaign using an economic support-themed message to lure Italian-speaking victims into opening a malicious attachment that delivers Ursnif, a widely distributed banking trojan. The tactics, techniques, and procedures (TTPs) we observed in this campaign are consistent with recent Ursnif reports.1 Customer [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6723,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[553],"tags":[314,333,436,260],"class_list":{"0":"post-6191","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-campaign-briefs","8":"tag-banking","9":"tag-cyberattack","10":"tag-finance","11":"tag-trojan","12":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan<\/title>\n<meta name=\"description\" content=\"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan. On 30 March, Infoblox observed a malspam campaign using an economic support-themed message to lure Italian-speaking victims into opening a malicious attachment that delivers Ursnif, a widely distributed banking trojan. The tactics, techniques, and procedures (TTPs) we observed in this campaign are consistent with recent Ursnif reports.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan\" \/>\n<meta property=\"og:description\" content=\"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan. On 30 March, Infoblox observed a malspam campaign using an economic support-themed message to lure Italian-speaking victims into opening a malicious attachment that delivers Ursnif, a widely distributed banking trojan. The tactics, techniques, and procedures (TTPs) we observed in this campaign are consistent with recent Ursnif reports.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-04-01T21:40:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-34.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"363\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan\",\"datePublished\":\"2021-04-01T21:40:58+00:00\",\"dateModified\":\"2024-04-26T20:20:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/\"},\"wordCount\":652,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-34.jpg\",\"keywords\":[\"banking\",\"Cyberattack\",\"finance\",\"Trojan\"],\"articleSection\":[\"Cyber Campaign Briefs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/\",\"name\":\"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-34.jpg\",\"datePublished\":\"2021-04-01T21:40:58+00:00\",\"dateModified\":\"2024-04-26T20:20:47+00:00\",\"description\":\"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan. On 30 March, Infoblox observed a malspam campaign using an economic support-themed message to lure Italian-speaking victims into opening a malicious attachment that delivers Ursnif, a widely distributed banking trojan. The tactics, techniques, and procedures (TTPs) we observed in this campaign are consistent with recent Ursnif reports.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-34.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-34.jpg\",\"width\":612,\"height\":363,\"caption\":\"Virus detected alert. Camera moves around hud display and man typing keyboard. Cyber security breach warning with worm symbol on screen. System protection futuristic concept.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Campaign Briefs\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan","description":"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan. On 30 March, Infoblox observed a malspam campaign using an economic support-themed message to lure Italian-speaking victims into opening a malicious attachment that delivers Ursnif, a widely distributed banking trojan. The tactics, techniques, and procedures (TTPs) we observed in this campaign are consistent with recent Ursnif reports.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/","og_locale":"en_US","og_type":"article","og_title":"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan","og_description":"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan. On 30 March, Infoblox observed a malspam campaign using an economic support-themed message to lure Italian-speaking victims into opening a malicious attachment that delivers Ursnif, a widely distributed banking trojan. The tactics, techniques, and procedures (TTPs) we observed in this campaign are consistent with recent Ursnif reports.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/","og_site_name":"Infoblox Blog","article_published_time":"2021-04-01T21:40:58+00:00","article_modified_time":"2024-04-26T20:20:47+00:00","og_image":[{"width":612,"height":363,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-34.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan","datePublished":"2021-04-01T21:40:58+00:00","dateModified":"2024-04-26T20:20:47+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/"},"wordCount":652,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-34.jpg","keywords":["banking","Cyberattack","finance","Trojan"],"articleSection":["Cyber Campaign Briefs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/","name":"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-34.jpg","datePublished":"2021-04-01T21:40:58+00:00","dateModified":"2024-04-26T20:20:47+00:00","description":"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan. On 30 March, Infoblox observed a malspam campaign using an economic support-themed message to lure Italian-speaking victims into opening a malicious attachment that delivers Ursnif, a widely distributed banking trojan. The tactics, techniques, and procedures (TTPs) we observed in this campaign are consistent with recent Ursnif reports.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-34.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-34.jpg","width":612,"height":363,"caption":"Virus detected alert. Camera moves around hud display and man typing keyboard. Cyber security breach warning with worm symbol on screen. System protection futuristic concept."},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-economic-support-themed-malspam-delivers-ursnif-banking-trojan\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Campaign Briefs","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-campaign-briefs\/"},{"@type":"ListItem","position":4,"name":"Italian Economic Support-Themed Malspam Delivers Ursnif Banking Trojan"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6191","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6191"}],"version-history":[{"count":5,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6191\/revisions"}],"predecessor-version":[{"id":6576,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6191\/revisions\/6576"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6723"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}