A new malware campaign has been discovered using the Ursnif banking trojan and targeting organizations in Italy. A few months ago, Ursnif was being used against at least 100 banks in Italy.

Discussing the campaign

Proofpoint researchers have observed 20 campaigns spreading hundreds of thousands of email messages aimed at Italian organizations this year.
  • In the campaign, TA544 impersonated Italian organizations either as a courier company or some agency based in the energy sector, asking for payments from the targeted users.
  • The Ursnif campaign infected numerous sites using web injects and redirections once the payload is installed on targeted machines.
  • The discovered web injects are capable of stealing credentials from multiple sites and online services used by Italian users.
  • It targeted login portals of a large number of sites, including UniCredit Group, Agenziabpb, ING, BNL, eBay, PayPal, Banca Sella, CheBanca!, and IBK.

The targeting module

According to Proofpoint, more than half a million messages have been observed targeting Italian organizations, making Ursnif the most frequently observed malware targeting this region.
  • The emails are laden with malicious Microsoft Office documents including macros. If the victim enables macros, the document will deploy Ursnif on the infected machine.
  • In some of these campaigns, the threat actor employs geofencing tactics to confirm recipients in targeted geographic regions.


TA544’s campaigns have been ongoing since last year and are still targeting Italian users with the Ursnif banking trojan. Organizations are recommended to stay alert and train employees to spot malicious emails. Additionally, make sure that macros are disabled for all employees if not needed.

Cyware Publisher