The CERT-AgID has made known the 10 families of malware that hit the Italian Public Administration the most in the first half of 2021. Surprisingly, they are all part of the large category of “infostealers”, while the big absentees are ransomware.
Infostealers hit Italy: data at risk
The control activity carried out by the Computer Emergency Response Team of the Agency for Digital Italy (CERT-AgID) during the first six months of 2021 revealed 238 malicious campaigns carried out against the PA and from which it obtained 33 families distinct of malware. Each of them was analyzed in order to identify the attack vectors and communicate the related Indicators of Compromise (IoC).
Eliminate human error with cyber attack-proof procedures!
The ten most detected malware they are all part of the vast category of “infostealers”, or those malicious applications developed in order to collect information from attacked systems.
These components can be launched individually or be included in more complex campaigns, making them among the most used and profitable for cybercriminals.
The data collected could have a certain economic value generated by their sale on the Dark Web, or be prodromal to obtain other data, penetrate deeper into systems (think of user credentials), as well as access, for example, bank accounts.
Ransomware guide: what it is, how to take it and how to remove it
Formbook: Malware that also spreads via HTML files
The most detected malware in the period under review was Formbook, with 37 campaigns united by sending messages that invite you to download and open attachments that contain the malicious payload.
In addition to the classic extensions .zip, .rar, .iso, etc., for the first time an HTML file was used that opens a fake download page of the well-known online file transfer service WeTransfer.
The page that is loaded, in addition to reporting the typical malicious double extension, while tracing the graphics of the original service, instead contains fraudulent links which, if clicked, download the executable with the actual malware.
ASTesla uses Telegram bots to spread
In second place we find ASTesla, so renamed for the similarities with the already known AgentTesla, which, using messages apparently attributable to the logistics leader DHL, invites you to download attachments with the payload inside.
Once installed, it communicates information about the infected machine such as hardware identifiers, user and computer names to the command and control (C&C) server and begins to collect data.
In addition to the classic function of keylogger cookies, screenshots at defined intervals are recorded, as well as the contents of the notes and credentials of a long list of applications: everything is exfiltrated via HTTP, FTP, e-mail or even via Telegram thanks to a special bot.
Ursnif: the most active banking Trojan in Italy
Despite being known since 2012, the Ursnif malware, deriving from the more famous Gozi, is confirmed in third position as a fixed presence in the Italian panorama, with almost daily attacks of this banking trojan of which the CERT-AgID has provided a complete analysis in recent months.
It usually involves the sending of commercial e-mails written in correct Italian, or following the aspect of the INPS, MISE or Revenue Agency portals. In any case, there are Excel attachments containing macros which, if activated by the user, allow you to download the malware loader and hide the presence of any antivirus from checking signatures by protecting the file with a password.
Lokibot: this is how it steals our email, browser and chat passwords
Mid-table with 17 campaigns detected is Lokibot malware, designed to retrieve email client, browser and messaging application credentials.
In 2020 it had already been used for a campaign that included an e-mail apparently coming from the University of Sapienza in Rome, complete with a genuine address at first sight ([email protected]) and a malicious attachment in PowerPoint format.
Usually this format is not particularly used, preferring the classic Word and Excel attachments most used in the workplace. However, relying on the specificity of the message, a presentation file was opted for, more suited to the text that concerned a university project.
In 2021, malware was also declined in campaigns of phishing that simulated e-mails from the Intesa Sanpaolo bank with a compressed attachment in .zip format containing an .iso file from which an .exe is extracted.
Flubot: Android malware that spreads via SMS
The only malware in this list that instead of being conveyed by ordinary e-mail provides for the sending of SMS is Flubot, already widespread outside Italy, but since last April also detected in our country.
The 17 registered campaigns all revolve around SMS related to the delivery, collection or tracking of bogus DHL shipments that report a malicious link that invites you to download and install an .apk package of a self-styled DHL app for Android systems.
Once the app is installed, the malware has no effect until the high privileges guaranteed by the accessibility service (designed to help blind and disabled people in the use of devices) are granted, thus operating not on the basis of vulnerability or flaws, but thanks to the permissions offered by the user himself.
Once launched, Flubot can directly steal data such as messages and address book, steal credit card data with a fake Google Play Protect page, present phishing pages in place of the legitimate ones of the respective apps, as well as take control of notifications on codes for two-factor authentication.
This malware, in continuous evolution (version 4.0 reached), is particularly worrying due to the ease of transmission, also linked to the often scarce attention in the use of smartphones, for the wide possibilities of compromise given the recoverable data, as well as for the difficult removal, since it closes any uninstall instances as soon as it is detected.
Emotet: a real criminal framework
Although the infrastructure on which it was based was dismantled in January 2021 Thanks to an international operation by Europol and Eurojust, the Emotet malware was nevertheless recorded in 10 campaigns.
This trojan, which has been around and constantly evolving since 2014, exploited a wide botnet which allowed to carry out attacks of various kinds according to the model Cybercrime as a Service, offering its users DDoS attacks or phishing even without special technical knowledge.
Created to take advantage of the increasingly widespread use of home banking services, thanks also to its modularity and the use of e-mail attachments with macros to steal credentials and passwords, it has become one of the most harmful malware in recent years.
IceID: modular malware that “adapts” to victims
With the dismantling of the Emotet network, the IceID malware, which exploits the same modular as-a-service model, is a candidate to replace it as more dangerous both for individual users, subject to banking Trojan functionalities, and for corporate users, given the ability to infiltrate the network and launch remote access trojans (RATs).
The methods of infection remain the same: apparently legitimate e-mails with attachments containing macros that the user is invited to enable.
sLoad: the PEC malware
The malware in the last position with 6 detected campaigns is sLoad, which has the particularity of being the only one conveyed not with Ordinary Electronic Mail (PEO), but with Certified Electronic Mail (PEC), thus arousing concern for the chosen medium. usually associated with official communications and for which one is led to lower the level of guard.
Apart from the carrier difference, the dynamics of the attack remain the same: fraudulent but credible commercial e-mails with attached .zip archives containing the actual payload.
Malware: what they are, how to recognize them and how to remove them
What we learn from the recent attacks
From the analysis of the malware that affected the Italian Public Administration in the first half of 2021, a scenario emerges made up of old or new campaigns, but all focused on infections carried by malicious attachments and aimed at stealing data.
Of particular interest is the PEC variant represented by sLoad and the variation in the Android smartphone field of Flubot.
The lack of ransomware elements, which have also been on the rise, is traced by the CERT-AgID itself to the fact that such campaigns are usually aimed at the single target, as well as subsequent to the compromise and exfiltration phase.
What have been the most aggressive cases of cybercrime in recent years? Find out in the white paper
@ALL RIGHTS RESERVED