Researchers have discovered a new Ursnif baking Trojan campaign carried out by a group tracked as TA544 a financially motivated threat actor that is targeting organizations in Italy. The experts observed nearly 20 notable campaigns distributing hundreds of thousands of malicious messages targeting Italian organizations.
The TA544 group leverages phishing and social engineering techniques to lure victims into enabling macro included in weaponized documents. Upon enabling the macro, the infection process will start.
The TA544 group posed as an Italian courier or energy organization that is soliciting payments from the victims. The spam messages use weaponized office documents to drop the Ursnif banking Trojan in the final stage.
The group employed file injectors to deliver malicious code used to steal sensitive information from the victims, such as payment card data and login credentials.
Some of high profile targeted companies:
- Banca Sella
- UniCredit Group
The analysis of the web injects used by the group suggests that the threat actors were also interested in steal credentials for websites associated with major retailers.