“Operation Pistacchietto”, a new Italian malware campaign

• The campaign is named after a GitHub account that provided partial source codes of a malware.
• An analysis revealed that the malware is a backdoor written in Python.

A peculiar Italian-origin malware campaign has been discovered by security researchers. It appears that this campaign has been active since 2016, and came to light only this year.

First analyzed by TG Soft and then by Yoroi-Zlab, the attacker group is speculated to be Italian since many file names and scripts were in the Italian language, as well as C2 servers being from Italy. It was also observed that the Pistacchietto campaign targeted both mobile and desktop systems.

How does it affect desktop and mobile platforms?

Windows

• Usually, spam emails contain a malicious link which is a fraudulent web page prompting the victim to ‘update’ Java components.
• Clicking on the Update button will download a BAT file. The source code of this file has two parts. The first part requests admin privileges to the system and the second part downloads the malware payload.
• Two URLs were also embedded in the source code that had other malware components.
• Yoroi-Zlab’s analysis revealed that the malware was still under maintenance and was undergoing constant changes.
• Some of the malware samples downloaded by the BAT file include ‘office_get.xml’, ‘get.vbs’, ‘woffice.exe, woffice2.exe’, ‘NisSrv.exe’, ‘sys.xml’ & “syskill.xml’

Android, Linux, and Mac OS targets

• The variants observed under these platforms remained the same as observed in Windows systems, in terms of functionality.
• For Linux, ‘crontab’ and ‘systemctl’ commands are used in the malware deployment while for Mac OS, malware modules were edited from the Windows variant.
• For Android, the malware was a remote access tool (RAT) which is a copy of AhMyth Android RAT.

Still at a nascent stage - Despite Pistacchietto campaign being relatively new, experts believe that there could be much more behind the scenes that could take off in the near future.

“Behind the lack of professional infrastructure, the 'hiding in plain sight' strategy, the developer’s comments, the drafted malware code analyzed and the speculations about the possible amateur nature of this actor, we are in front of a long-running espionage operation,” hinted Yoroi-Zlab in the blog.