Malspam wave in Italy: beware of invoices attached to emails from unknown addresses
In the last period, two types of hacker attacks, by cyber criminals, are occurring in Italy. We have talked about them in this article, which has also been taken up by Federprivacy, the main Italian association of data protection professionals.
The attacks, aiming at spreading the viruses known as SLoad-ITA and Danabot, are hidden in the form of a classic fraudulent email that invites us to open links or attached documents such as an electronic invoice.
At the moment, therefore, the best precautionary measure is always the most "classic" and entrusted to the user's prudence: do not open and immediately trash any email that invites us to download such documents especially from an unknown sender or address. In fact, it is always useful to analyze carefully, before venturing into links or downloads, even emails coming from known senders: they might have been infected themselves or they might be fakes.
What is SLoad-ITA virus
SLoad-ITA, as the name also indicates, is nothing but the Italian version of a hacker attack that took place in the United Kingdom in May 2018. It is a malspam attack, in which the malware that infects the computer is sent through a massive spamming campaign that aims to affect the largest number of users. To achieve this, cyber criminals have also implemented social engineering techniques, so as to attest themselves as authoritative interlocutors and convince users to do exactly what they want them to do.
To trick users, the hacker group behind the SLoad-ITA attack sends an email message in which an outstanding invoice (attached) dating back to July 2018 is announced. Downloading the attachment, however, you realize that it is a ZIP file (i.e. a compressed folder) and not a PDF or DOC file as you might expect. Opening the compressed file, you are faced with two files: an image and a file with LNK extension. Trying to open the LNK file will only launch the malware, a RAT Trojan (stands for Remote Access Trojan) that grants hackers access to the data on your hard drive and allows you to download more malware without your knowledge.
Specifically, SLoad-ITA would be able to take periodic screenshots while you are using your computer and send them to the hacker automatically. In this way, the cybercriminal will always be what we are doing.
What is the Danabot virus
The second threat, whose spread in Italy began in the last days of November 2018, is a banking trojan already known by security experts around the world. As specified by ESET, among the major IT security companies, Danabot is a modular and multilevel malware, which can be modified and customized by hackers with plugins so as to adapt it to the various national realities in which it can be used.
Also in this case, the spread took place through a spam email campaign very similar to the one used to spread SLoad-ITA, a fact that leads to think that the same group could be hiding behind the two attacks. On this point, however, there is no certainty. Danabot is spread via a compressed file with RAR extension, which contains some infected files that install themselves in the memory of the affected computer.
As mentioned, the original purpose of Danabot was to retrieve and steal banking information from the attacked users (home banking credentials, credit card numbers, etc.), but due to the changes it has undergone in the last weeks, the malware has seen its offensive possibilities grow dramatically. Now Danabot can give hackers the ability to remotely control infected computers (due to a plugin called VNC); analyze data traffic packets and retrieve various information about user's habits (Sniffer plugin); steal passwords from browsers, email clients and other software installed on the PC (Stealer plugin).