{"id":1904,"date":"2021-03-30T11:26:35","date_gmt":"2021-03-30T09:26:35","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=1904"},"modified":"2026-06-08T23:07:21","modified_gmt":"2026-06-08T23:07:21","slug":"ursnif-italian-tax-agency-lure","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/ursnif-italian-tax-agency-lure\/","title":{"rendered":"Ursnif Malware \u2014 Italian Tax Agency lure"},"content":{"rendered":"\n<p style=\"text-align: justify\">Between <strong>8 and 21 March 2021<\/strong> we identified a malicious email campaign distributing the <strong>Ursnif<\/strong> malware.<\/p>\n\n\n\n<p style=\"text-align: justify\">Ursnif malware is classified as a &#8220;\ud835\udc69\ud835\udc82\ud835\udc8f\ud835\udc8c\ud835\udc8a\ud835\udc8f\ud835\udc88 \ud835\udc7b\ud835\udc93\ud835\udc90\ud835\udc8b\ud835\udc82\ud835\udc8f&#8221;, primarily associated with user data compromise and frequently deployed as an initial vector for more complex infrastructure breaches and <strong><em>Ransomware<\/em><\/strong> attacks.<\/p>\n\n\n\n<p style=\"text-align: justify\">The email subject line mimics the Italian Revenue Agency (Agenzia delle Entrate), with a malicious Excel file &#8220;.xlsb&#8221; attached to the message.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large caption-align-center\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/03\/image-1.png\" alt=\"\" class=\"wp-image-1907\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">Figure 1 &#8211; Example of malicious email<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">The dropper<\/h2>\n\n\n\n<p style=\"text-align: justify\">Upon opening the \ud835\uddd8\ud835\ude05\ud835\uddf0\ud835\uddf2\ud835\uddf9 document and enabling Macros, a sequence of actions is initiated that includes downloading and executing the second stage of the malware (a &#8220;.dll&#8221; \ud835\udc87\ud835\udc8a\ud835\udc8d\ud835\udc86).<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide size-large caption-align-center\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/03\/image.png\" alt=\"\" class=\"wp-image-1905\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">Figure 2 &#8211; Malicious Excel<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Malware Behavior<\/h2>\n\n\n\n<p style=\"text-align: justify\">The dropper downloads the dll \ud835\udc87\ud835\udc8a\ud835\udc8d\ud835\udc86 from the domain <strong><em>satisonline[.]bar (62[.]173[.]147[.]107)<\/em><\/strong>, retrieving the file &#8220;signup.jpg&#8221;. This activity is consistent with <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> observations of Ursnif distribution infrastructure.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large caption-align-center\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/03\/image-2-1024x343.png\" alt=\"\" class=\"wp-image-1908\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">Figure 3 &#8211; Network communication excerpt<\/figcaption><\/figure>\n\n\n\n<p style=\"text-align: justify\">The \ud835\udc87\ud835\udc8a\ud835\udc8d\ud835\udc86 is saved to a randomized directory path of the form: &#8220;C:\\zVAJUlB\\WPTqlPR\\RjuoPEa.dll&#8221;<\/p>\n\n\n\n<p style=\"text-align: justify\">At this stage the endpoint is compromised, with initial connections established to &#8220;\ud835\uddd6\ud835\uddfc\ud835\uddfa\ud835\uddfa\ud835\uddee\ud835\uddfb\ud835\uddf1 \ud835\uddee\ud835\uddfb\ud835\uddf1 \ud835\uddd6\ud835\uddfc\ud835\uddfb\ud835\ude01\ud835\uddff\ud835\uddfc\ud835\uddf9&#8221; servers for remote system access (T1071 &#8211; Application Layer Protocol, T1090 &#8211; Proxy).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ursnif campaigns leveraging macro-enabled Office documents remain a persistent delivery mechanism for banking trojans. Organizations must enforce application whitelisting, disable macro execution by default, and maintain network-based detection signatures for known command-and-control infrastructure to mitigate this threat vector.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ursnif campaign abusing the Italian Tax Agency (Agenzia delle Entrate) brand as social-engineering lure: Italian-language phishing templates and host indicators.<\/p>\n","protected":false},"author":1,"featured_media":1907,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[18,48,160,177,3287,212,213,314,3104,335,336,3288,362,363,368],"class_list":["post-1904","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-62-173-147-107","tag-banker","tag-gozi","tag-incident-response","tag-italian-phishing","tag-malware","tag-malware-analysis","tag-sfile3","tag-social-engineering","tag-statillioni","tag-statisonline","tag-tax-agency-lure","tag-trojan","tag-trojan-banker","tag-ursnif"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1904","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=1904"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1904\/revisions"}],"predecessor-version":[{"id":9902,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1904\/revisions\/9902"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=1904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=1904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=1904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}