During 2023, AgentTesla has established itself as the malware most widespread in Italy, followed by Formbook e Ursnif. Among the top ten, we also find SpyNote, a well-known spyware designed for Android devices. This is what emerges from Summary report on the progress of malicious campaigns that affected Italy in 2023, created by Cert-Agid through various sources and methodologies, including reports from private bodies or public administrations, detections through automated Cert systems, detailed analyzes of malware samples and investigations into the incidents handled.
Overall, during 2023, Cert-Agid identified and countered a total of 1713 malicious campaigns, sharing a total of 20,603 indicators of compromise (IoC) with its accredited organizations. In total, 54 malware families were identified, of which 78% fell into the Infostealer category and the remaining 22% into the Rat (Remote Access Trojan) category. In the context of attacks of phishing/smishing, which involved a total of 68 brands, the main objective was the theft of banking credentials, webmail access credentials, and in the case of smishing towards INPS, the theft of identity documents.
Fewer attacks via certified email, smishing is growing
The main themes exploited for the attacks remained unchanged compared to previous years, except for the “Revenue Agency” theme, which was mainly used in Ursnif campaigns and subsequently replicated to convey malware Remcos, SystemBC, Purelogs, Mekotio e DroidJack. A significant one was noted decrease in malicious campaigns conveyed through compromised accounts Certified email (PEC) but at the same time there is a notable increase in smishing. The latter consists in the mass sending of text messages with deceptive communications, often pretending to come from well-known “banking institutions” and containing links to malicious resources, such as phishing pages or malware for mobile devices. In this context, the most used channel remains ordinary electronic mail (PEO).
Strategies that are good for business and cyber security
SpyNote on the podium of malware intended for Android systems
During 2023, 29 malicious campaigns aimed at compromising Android-based mobile devices were identified. Among the various malware identified, SpyNote emerges as the most widespread, with three variants registered during the year. All analyzed samples turned out to be revised versions of malware originally conceived as banking trojans and aimed at stealing money through the abuse of home banking operations. Most malicious actors persist in exploiting these smishing campaigns, impersonating banking institutions and tricking victims into installing fake updates or new apps. The malicious app is downloaded through a link contained in the SMS which points to an Apk file hosted on a domain usually registered ad-hoc. The predominant functionality of these malicious applications is the reading of text messages, aimed at intercepting the codes sent by the bank as a second authentication factor.
.zip is the most used file to convey malware
The file format most frequently used in malicious campaigns is undoubtedly the compressed one, with particular emphasis on .zip files. The latter, in turn, are used to contain MS Office documents, mountable image files, scripts, and especially in the second half, pdfs with links to scripts or links to shared resources.
Telegram the dominant ecosystem
The analysis also shows that, despite the ransomware remains the most relevant and widely discussed threat in 2023, a single case of ransomware has been found in Italy (Knight) distributed through a loader delivered via email. Ransomware compromises continue to be carried out manually, exploiting access to systems obtained through the use of Infostealer or Rat malware. Furthermore, alongside the constant spread of Infostealers, a growth in the illicit use of remote control tools such as ScreenConnect or UltraVNC has been observed, tools that have very similar functionality to the well-known TeamViewer. These tools allow you to take control of victims’ machines, viewing the contents of their screen and interacting with it as a local user would using a mouse and keyboard.
Finally, during 2023, Telegram has consolidated its position as the predominant ecosystem used by cybercrime activities, as evidenced by the widespread sale and disclosure of stolen personal and corporate data on its channels. Furthermore, it has also assumed a predominant role as a privileged place for claiming cyber attacks and compromises, especially by pro-Russian collectives and ransomware gangs.
@ALL RIGHTS RESERVED