Summary of malicious campaigns in the week of 20 – 26 April 2024

This week, CERT-AGID found and analysed, in the Italian scenario of its reference, a total of  27 malicious campaigns  , of which 21 with Italian objectives and 6 generic ones which nevertheless affected Italy, making available to its  accredited bodies  the related  305 indicators of compromise (IOC)  identified.

Below we report the details of the typologies illustrated in the graphs, resulting from the data extracted from the CERT-AGID platforms and which can be consulted via the  Statistics page .

Trend of the week

The most relevant topics of the week

There are  9  themes used this week to convey malicious campaigns on Italian territory. In particular it is noted:

1. Banking  – Recurring theme in phishing and smishing campaigns aimed mainly at customers of Italian banking institutions, to spread the AgentTesla and Formbook malware, and for a campaign aimed at compromising Android devices with the  Irata malware .
2. Payments  – topic exploited for the AgentTesla , StrRat , Formbook and Guloader malware campaigns .
3. Disbursements – theme used for INPS  smishing campaigns  .

The rest of the themes were exploited to convey malware and phishing campaigns of various types.

Events of particular interest:

• LockBit Ransomware: anomalies after dismantling ;
• INPS smishing campaigns aimed at stealing identity documents;
• Revenue and Collection Agency phishing campaign.

Malware of the week

8 families of malware have been observed in the Italian scenario  . Specifically, of particular importance this week, we find the following campaigns:

1. AgentTesla  – Three campaigns identified, two of which are Italian and one generic, themed “ Order ”, “Banking” and “ Delivery ”, conveyed via email with RAR, 7Z and Z attachments.
2. Formbook  – Observed three campaigns, one of which targeted Italy, themed “ Order ”, “Payments” and “ Banking ”, spread in Italy via email with RAR attachments.
3. RemcosRAT  – Two generic campaigns detected, themed ” Estimate “, spread in Italy via email attachments LZH and GZ.
4. LockBit  – Identified a massive campaign themed “ Documents ” conveyed indiscriminately to public and private entities via email ZIP attachments containing an SCR executable. Further information and IoC are available in a specific press release .
5. Guloader  – An Italian “ Payments ” themed campaign conveyed via GZ email attachments has been detected.
6. StrRat – Observed an Italian “ Payments ”  themed campaign spread via email with JAR attachments.
7. Irate – An Italian “ Banking ”  themed campaign conveyed via SMS with a link to the download of a malicious APK was thwarted.
8. jRAT  – A “Documents” themed campaign has been detected, spread through emails with XZ attachments, aimed at spreading the jRAT malware in Italy.

Phishing of the week

There are  7  brands of the week involved in phishing and smishing campaigns. Of particular interest this week: a phishing campaign by the Revenue and Collection Agency , and the INPS campaigns that have been widely discussed for  about 2 years now .

File formats mainly used to deliver malware

Distribution channels

Targeted and generic campaigns

Source: Original Post