Ursnif Malware — Italian Tax Agency lure

Between 8 and 21 March 2021 we identified a malicious email campaign distributing the Ursnif malware.

Ursnif malware is classified as a “𝑩𝒂𝒏𝒌𝒊𝒏𝒈 𝑻𝒓𝒐𝒋𝒂𝒏”, primarily associated with user data compromise and frequently deployed as an initial vector for more complex infrastructure breaches and Ransomware attacks.

The email subject line mimics the Italian Revenue Agency (Agenzia delle Entrate), with a malicious Excel file “.xlsb” attached to the message.

The dropper

Upon opening the 𝗘𝘅𝗰𝗲𝗹 document and enabling Macros, a sequence of actions is initiated that includes downloading and executing the second stage of the malware (a “.dll” 𝒇𝒊𝒍𝒆).

Malware Behavior

The dropper downloads the dll 𝒇𝒊𝒍𝒆 from the domain satisonline[.]bar (62[.]173[.]147[.]107), retrieving the file “signup.jpg”. This activity is consistent with Cyber Threat Intelligence observations of Ursnif distribution infrastructure.

The 𝒇𝒊𝒍𝒆 is saved to a randomized directory path of the form: “C:\zVAJUlB\WPTqlPR\RjuoPEa.dll”

At this stage the endpoint is compromised, with initial connections established to “𝗖𝗼𝗺𝗺𝗮𝗻𝗱 𝗮𝗻𝗱 𝗖𝗼𝗻𝘁𝗿𝗼𝗹” servers for remote system access (T1071 – Application Layer Protocol, T1090 – Proxy).

Ursnif campaigns leveraging macro-enabled Office documents remain a persistent delivery mechanism for banking trojans. Organizations must enforce application whitelisting, disable macro execution by default, and maintain network-based detection signatures for known command-and-control infrastructure to mitigate this threat vector.