Researchers have discovered a new Ursnif baking Trojan campaign carried out by a group tracked as TA544 a financially motivated threat actor that is targeting organizations in Italy. The experts observed nearly 20 notable campaigns distributing hundreds of thousands of malicious messages targeting Italian organizations.

The TA544 group leverages phishing and social engineering techniques to lure victims into enabling macro included in weaponized documents. Upon enabling the macro, the infection process will start.

The TA544 group posed as an Italian courier or energy organization that is soliciting payments from the victims. The spam messages use weaponized office documents to drop the Ursnif banking Trojan in the final stage.

Ursnif TA544

“In the observed campaigns, TA544 often uses geofencing techniques to detect whether recipients are in targeted geographic regions before infecting them with the malware. For example, in recent campaigns, the document macro generates and executes an Excel 4 macro written in Italian, and the malware conducts location checks on the server side via IP address.If the user was not in the target area, the malware command and control would redirect to an adult website. So far in 2021, Proofpoint has observed nearly half a million messages associated with this threat targeting Italian organizations.”

The group employed file injectors to deliver malicious code used to steal sensitive information from the victims, such as payment card data and login credentials.

Some of high profile targeted companies:

  • IBK
  • BNL
  • ING
  • eBay
  • PayPal
  • Amazon
  • CheBanca!
  • Banca Sella
  • UniCredit Group

The analysis of the web injects used by the group suggests that the threat actors were also interested in steal credentials for websites associated with major retailers.