In the last few days, two hacker attacks are putting the IT security of Italian users at risk. Both exploit the trick of false invoices
Don't open that email message: it could contain a virus. It's not a generic warning but a specific indication related to two hacker attacks currently underway in Italy, by an unidentified group of cyber criminals who aim to steal sensitive data on a large scale.
The alarm on the first attack comes from the IT security company Yoroi, which released a note explaining the dynamics of this attack, also confirmed by the Computer Emergency Response Team of the Presidency of the Council of Ministers for Public Administration (CERT-PA). It is an attack called SLoad-ITA, localized version in Italian of a hacker campaign already carried out in May against users in the United Kingdom. Thousands of mailboxes have already been reached: the attack started on November 10 and the maximum peaks, at the moment, have been registered between November 19 and 24. The second attack was communicated yesterday by CERT-PA and concerns the spread of the Torjan Danabot and the first infected email was detected in the morning of November 27, 2018.
How the SLoad-ITA and Danabot viruses work
The SLoad-ITA infection originates, as we said, from a classic fraudulent email that invites us to open an electronic invoice issued in July. Clicking on the link to download the invoice downloads a ZIP file containing an image in PNG format and an LNK link. Clicking on the LNK file executes the actual malicious code, but it is hidden in the previous ZIP file and this subtlety allows this attack to pass most of the antivirus checks of email inboxes. Such code proceeds to download other files that it hides on the computer to be infected, which, in turn, manages to steal information on all affected devices.
The Danabot Trojan works in a very similar way: the usual email invites us to download the usual invoice, this time with November 2018 date, and when we click on the link a compressed file is downloaded, this time in Rar format. Inside the Rar file is contained a script that, as soon as it is executed, downloads the Danabot Trojan on the PC that is infecting. The third stage is to schedule the malware to run every time the PC is restarted, in order to combat a possible virus scan.
The Dangers of SLoad-ITA and Danabot
What exactly do these two new viruses that are spreading fast in Italy do? In the case of SLoad-ITA, the malicious codes collect information about our computer, such as the applications we are using, the data of our Internet connection and take periodic screenshots of our desktop. All this information is then sent, without our knowledge, to the hackers' servers which respond by sending additional files (different from the previous ones) but equally infected and with new portions of malicious code. The Danabot Trojan, on the other hand, attempts to steal system credentials (login and password), browser and email client credentials, and finally to gain remote access to our PC via VNC and RDP systems. So, in both cases, these are sophisticated cyber-espionage campaigns that have been put in place to collect huge amounts of information about the habits of (potentially) millions of users.
How to protect yourself against SLoad-ITA and Danabot
Looking at the way SLoad-ITA works, at the moment the offending email manages to pass through the virus filters of most email inboxes. The continuous download of different infected files also reduces the effectiveness of a local antivirus scan, on the already infected PC, because it is as if the virus is constantly changing. Danabot is less advanced, but still difficult to be filtered out by e-mail antispam.
At the moment, therefore, the best precautionary measure to defend yourself from SLoad-ITA and Danabot is also the least technical one: open your eyes and, if you get an e-mail inviting you to download an e-mail invoice from an address you do not know, trash it immediately.