False patch for digital signature spreads malware

A phishing campaign targeting Italian public administrations used a fake urgent digital signature update to deliver a ZIP with a VBS that installs the legitimate remote-management tool Action1 for unauthorized access. CERT-AGID confirmed this is the first observed abuse of Action1 in Italy, shared IoCs with accredited organizations, and advised remediation steps. #Action1 #CERT-AGID

Keypoints

The campaign used phishing emails claiming an urgent update for digital signature software to lure victims into downloading a ZIP file.
The ZIP contains an unobfuscated VBS script with comments in Italian, suggesting possible use of AI or an Italian-speaking threat actor.
The VBS aims to install Action1, a legitimate remote management tool, to gain unauthorized access to compromised systems.
CERT-AGID reports this as the first observed misuse of Action1 in Italy, although its abuse has been reported internationally, including by Conti.
Attackers leverage signed, legitimate remote-management software to lower detection chances, similar to past abuses of ScreenConnect.
No final payload has yet been identified; actors may be delaying deployment until an opportune moment.
CERT-AGID has shared IoCs with accredited organizations, contacted the affected signature provider, and issued guidance to potential victims.

MITRE Techniques

[T1566] Phishing – The campaign used fraudulent emails claiming an urgent update for digital signature software to trick users into clicking a link and downloading a ZIP. Quote: ‘l’e-mail fraudolenta… induce gli utenti a cliccare sul link… con lo scopo di scaricare un file ZIP contenente un VBS malevolo.’ (the fraudulent email… induces users to click the link… to download a ZIP containing a malicious VBS).
[T1204] User Execution – The attack relies on user interaction to download and run the VBS from the ZIP archive. Quote: ‘induce gli utenti a cliccare sul link presente nel corpo del messaggio con lo scopo di scaricare un file ZIP.’ (induces users to click the link in the message body to download a ZIP file).
[T1218] Signed Binary Proxy Execution – Abuse of a legitimate, signed remote management tool (Action1) to execute malicious actions and reduce detection. Quote: ‘criminali informatici sfruttano software firmati e legittimi per ridurre la probabilità di rilevazione.’ (cybercriminals exploit signed legitimate software to reduce detection likelihood).
[T1105] Ingress Tool Transfer – The campaign downloads a ZIP containing a VBS which then installs Action1, representing transfer and staging of tools on target systems. Quote: ‘scaricare un file ZIP contenente un VBS malevolo… l’obiettivo è l’installazione di Action1.’ (download a ZIP containing a malicious VBS… the objective is installation of Action1).
[T1071] Application Layer Protocol – Use of email as the delivery vector for the malicious link and payload distribution. Quote: ‘L’e-mail malevola… sfruttando un presunto aggiornamento urgente… induce gli utenti a cliccare.’ (The malicious email… exploiting a supposed urgent update… induces users to click).

Indicators of Compromise

[Email links ] phishing lure – malicious update link in phishing email (IoCs shared by CERT-AGID; specific URLs provided to accredited organizations).
[File names / Types ] payload and delivery – ZIP archive containing a VBS script (example: malicious .zip -> .vbs), and MSI installer for Action1 observed in analysis.
[Tool / Software ] abused legitimate tool – Action1 installer used by attackers to gain access (legitimate MSI abused; details and hashes shared with accredited orgs).
[IoC repositories ] distribution – IoCs and indicators were distributed via CERT-AGID accredited IoC flow and a “Download IoC” link (specific IoC list available to accredited organizations).