Fortgale & Malware

Emotet, active since 2014, is among the malware most used by criminals to compromise the workstations of Italian companies.

After installation on the victim system, it steals the passwords saved in the browsers (banking logins, e-mail, company portals). It is often used as a “Trojan horse” for the installation of other types of Malware (Trickbot or IcedID).

Trickbot, active since 2016, is a modular banking Trojan developed by WIZARD SPIDER with the main purpose of stealing victims’ credentials. Over the years, businesses and individuals on a global scale have been affected.

Following infection (usually via spearphishing) it allows the implementation of additional functionality, such as data collection, reconnaissance and lateral movement in the victim’s local network.

It is often used as initial access which can then be sold to other criminal groups.

Ursnif is one of the most widespread malware in Italy, every year there are several campaigns targeting Italian companies.

The first samples were detected in 2015 and in recent years its functionality has undergone variations, but the method of propagation and infection has remained the same. It usually exploits a malicious attachment within phishing emails to install itself on victims’ systems.

Its main functions consist of stealing information relating to banks, wallets and cryptocurrencies; Furthermore, it can also perform further operations such as: obtaining other information relating to the user, creating screenshots and web injections.

Agent Tesla is spyware capable of stealing information relating to browser credentials, FTP services, Windows, emails and VPNs.

Over time, other features have also been developed such as: collection of information regarding the hardware of the victim’s systems, creation of screenshots, download and execution of additional executables, log of pressed keys and clipboard.

Formbook is a Data Stealer distributed as Maas ( Malware as a Services) active since 2016, which aims to exfiltrate victims’ credentials and personal information. It provides less experienced attackers with the possibility of carrying out attack campaigns in just a few clicks by renting it at relatively low prices (a few hundred euros).

Over time, the malware has undergone numerous updates and is often distributed via malspam campaigns and malicious attachments.

QakBot is a modular banking Trojan that has been active since 2007.

Over time it has undergone several changes, going from being a “simple” info stealer to becoming a dropper for some ransomware such as ProLock and Egregor.

However, the infection system has remained almost unchanged, exploiting malspam campaigns with malicious attachments or links.