Summary:
A recent phishing campaign has been detected that exploits the WeTransfer brand and cPanel control panel. Fraudulent emails contain links to fake login pages designed to steal user credentials. The phishing page is hosted on GitHub Pages, enhancing its credibility, and utilizes Telegram bots to collect stolen information.…Author: Italy-Cert-agid
Summary:
The Vidar malware has resurfaced, targeting Italian email accounts through compromised PEC mailboxes. This new wave of attacks employs VBS files to execute PS1 scripts and utilizes over 100 distinct domains with nearly a thousand randomly generated subdomains for downloading the malware. The attackers have strategically activated these links on November 18, suggesting a planned approach to maximize impact at the start of the workweek.…Summary:
A recent phishing campaign targeting DocuSign has been identified by CERT-AGID. The fraudulent emails contain HTML attachments designed to steal user credentials, allowing attackers to access sensitive accounts and information. The phishing page mimics the DocuSign login interface and sends captured credentials to a Telegram bot.…Summary:
A new malspam campaign is targeting victims in Italy with the Formbook malware, known for its infostealer capabilities. The emails, disguised as urgent communications regarding unpaid invoices, prompt recipients to open a compressed 7Z file containing a malicious VBS script. This script decodes data to extract an executable that ultimately installs Formbook on the victim’s machine.…Summary:
The Vidar malware has resurfaced in Italy, targeting email users through compromised PEC mailboxes. This new campaign mirrors previous tactics, utilizing VBS payloads and updated download URLs to evade detection. Vidar is known for stealing credentials and sensitive data, exploiting the trust associated with PEC communications.…Summary:
CERT-AGID has released version 2.0.1 of the hashr tool, a free and open-source software designed to detect malicious files by comparing their hash values with known hashes. Public administrations can access real-time Indicators of Compromise (IoC) to enhance cybersecurity efforts.Keypoints:
New version of hashr (v.2.0.1) released by CERT-AGID.…Summary:
The CERT-AGID has recently identified and mitigated a new malspam campaign aimed at spreading the Vidar malware. The emails, disguised as legitimate communications from an Italian company regarding unpaid invoices, contain malicious links that initiate the download of a harmful VBS file. This file executes a PowerShell script that connects to a known domain, facilitating further malicious activities.…Summary:
The CERT-AGID has identified a malicious campaign distributing the XWorm RAT trojan through deceptive emails masquerading as official communications from Namirial. The emails contain a password-protected PDF that lures victims into downloading a ZIP file from Dropbox, which initiates a chain of compromise leading to the installation of various malware, including XWorm.…
Short Summary
Read More
The criminal group behind Vidar is intensifying its operations in Italy, primarily using PEC mailboxes to conduct attacks. This strategy has proven effective in spreading malware across the country. The CERT-AGID has observed and countered three malicious campaigns from Vidar, with support from PEC managers.…
Short Summary
Read More
Many GitHub users are receiving alarming emails claiming a security vulnerability in their repositories. The emails, supposedly from the “GitHub Security Team,” direct users to a suspicious link that leads to malware distribution. The domain in question was registered recently and is linked to a malware called Lumma Stealer, which is designed to steal sensitive user information.…
Phishing Campaign Targeting Italian Banking Users via SPID
Read More
1. Short Summary:
A sophisticated phishing campaign has been reported to CERT-AGID, exploiting the SPID service to steal login credentials from users of various Italian banks. The fraudulent webpage mimics the AGID branding and prompts users to update their credentials to maintain access to online services requiring SPID authentication.…
Short Summary
Read More
On September 17, 2024, CERT-AGID issued a warning about a malspam campaign using PEC mailboxes, initially linked to the Italian domain Excite, which did not support any malicious payload. The campaign has since evolved, now utilizing an active domain that releases a JavaScript file leading to the installation of the Vidar malware.…
Short Summary
Read More
This weekend, a malicious campaign was identified and countered, utilizing compromised PEC accounts to target other users of the Certified Email service. The message, posing as a creditor, demands payment of 1305 euros and threatens legal action if not paid within five days. It includes a link to download an invoice, which may be a phishing attempt or malware.…
Short Summary
Read More
A third malicious campaign has been detected within a month, aimed at spreading the Vidar malware through compromised PEC emails sent to other PEC addresses. This wave of attacks features fraudulent communications urging payment of an alleged overdue invoice, threatening legal consequences for non-compliance.…
Short Summary
Read More
A new smishing campaign targeting INPS is underway, aiming to steal victims’ credit card information and personal data such as name, surname, and tax code. The tactics, techniques, and procedures (TTPs) are well-orchestrated, notably utilizing a Telegram bot for Command and Control, a practice more commonly seen in malware operations.…
Short Summary
Read More
A new wave of malspam targeting the Vidar malware has emerged, utilizing PEC emails to spread a malicious JavaScript file. The emails are designed to confirm the request comes from a Windows client before allowing the download. A Python script has been created to decode the JavaScript, which leads to the final payload.…
Short Summary
Read More
The CERT-AGID has issued an alert regarding a large-scale malspam campaign aimed at distributing the Quasar RAT malware. This campaign, which utilizes official logos from the Ministry of the Interior to deceive victims, was first identified on August 16, 2024. The malware targets users of specific Italian banks.…
Short Summary
Read More
This week, the StrRat malware has once again affected Italy. CERT-AGID has studied the new sample to provide a quick decoding tool for analysts. StrRat is a Remote Access Trojan (RAT) written in Java, primarily designed for information theft, featuring backdoor capabilities and a plugin architecture for complete remote access.…
A massive malspam campaign was launched on the night of August 5-6.
The campaign attempted to spread the Vidar malware on a large scale.
Messages were directed at Certified Email (PEC) inboxes.
A considerable number of PEC users were affected by the attacks.
The attacks were carried out overnight, using a known template.…
Read More
Thousands of PCs and servers blocked by a buggy update released by the cybersecurity solutions provider CrowdStrike.
Read More
Source: Original Post…
This week, CERT-AGID detected two phishing campaigns conducted through specially created domains.
The objective of these campaigns was to steal the credentials of both users applying for visas to Italy and internal staff using the VPN.
Read More
Source: Original Post…
New phishing campaigns targeting FedEx users using the theme “delivery”.
Read More
Source: Original Post…
A serious attack on the Polyfill.io service supply chain discovered: over 100,000 websites involved.
A recent attack on the supply chain targeted Polyfill.io, a widely used web service.
Polyfill.io is used by over 100,000 websites and allows for compatibility with modern browser features even on older browsers.
Read More
Source: Original Post…
After almost a year, a campaign in English returns to Italy with the aim of spreading an infostealer that was first spotted in October 2023.
Read More
Source: Original Post…
The HTML file contains JavaScript code that checks the language of the browser in which it is opened.
If the browser’s language is set to Italian, the content is displayed.
Otherwise, an empty page is shown.
Read More
Source: Original Post…
There is a well-known GUI-based ransomware generator called Chaos, which allows for easy customization of ransomware through a series of options.
The recent sample discovered by SonicWall, for which no IoC (Indicators of Compromise) was provided, appears to have been created using this builder.
Unfortunately, it is still unclear how the malware is distributed on the victims’ computers.…
Read More
This type of campaign is not new for CERT-AGID; the last report dates back to October 5, 2023, while the previous one was on May 25, 2023.
Although the methods and domains used may vary each time, the purpose remains constant: to induce victims to provide their login credentials by promising a fictitious refund and asking them to select one of the 20 listed banks.…
Read More
The CERT-AGID has detected a sophisticated fraud attempt involving a fake page of the Italian Revenue Agency.
The fake page was hosted on a previously compromised Italian domain.
The objective of the fraud attempt was to infect victims with a keylogger malware.
Read More
Source: Original Post…
This week, CERT-AGID found and analysed, in the Italian scenario of its reference, a total of 27 malicious campaigns , of which 21 with Italian objectives and 6 generic ones which nevertheless affected Italy, making available to its accredited bodies the related 305 indicators of compromise (IOC) identified.
Below we report the details of the typologies illustrated in the graphs, resulting from the data extracted from the CERT-AGID platforms and which can be consulted via the Statistics page .…
It would be useful to understand the reason for the spread of LockBit through email.
The onion references in the ransom note are no longer accessible, making it impossible to monetize through ransom.
It is likely that the objective is purely destructive.
Read More
Source: Original Post…
10/04/2024
Today a phishing campaign aimed at misappropriating credentials for access to Certified Email (PEC) mailboxes has emerged. This fraudulent operation is carried out through the sending of a deceptive email, intended for PEC mailbox users. The message warns of a supposed account deactivation request, to be completed within 24 hours, and suggests clicking on a link provided in the body of the message if it is considered an error.…
09/04/2024
Phishing home pageA sophisticated malicious campaign is currently underway, aimed at compromising Android devices in Italy through the SpyNote malware. This is disguised as the “INPS Mobile” application, available for download on a specifically created domain yesterday, with the aim of deceiving victims.
The phishing page, reported by D3lab to CERT-AGID, is carefully designed with logos and content that reproduce the official ones of the Institute.…
08/04/2024
As already highlighted and extensively documented in each of our weekly reports, since the beginning of the year there has been a significant increase in AgentTesla campaigns targeting Italy.
Just last week, CERT-AGID detected a particularly intense activity characterized by the use of PDF attachments.…
Email to spread AgentTesla
Read More
Recently, AgentTesla operators have strengthened their malspam campaigns in Italy, confirming the trend observed in recent months towards a greater use of PDF attachments. These documents contain links that, once used, initiate the download of files with malicious JavaScript code.
The email in question urgently urges the recipient to view the attached document in the communication.…
26/03/2024
Phishing EmailThe CERT-AgID has been informed of an active campaign targeting Public Administrations, aimed at stealing access credentials to MS Outlook email accounts.
The attackers, disguising themselves as HR departments or company accounting, are sending fraudulent emails promising salary adjustments or access to electronic pay slips, in an attempt to steal login credentials and other sensitive information.…
25/03/2024
Phishing pageThe CERT-AGID has detected the existence of a phishing page targeting users of Siatel v2.0 – PuntoFisco of the Revenue Agency, active online since the early afternoon of March 21, 2024.
Although it presents similarities with the campaign identified last year by the Revenue Agency, at the moment we do not have the email that prompts users to authenticate on the phishing page.…