Proofpoint threat researchers identified an increase in targeted threats impacting Italian organizations in 2021. This spike in observed threats is largely driven by a group called TA544 leveraging the Ursnif banking trojan. Proofpoint has observed nearly 20 notable campaigns distributing hundreds of thousands of messages targeting organizations in Italy so far this year, which equals 80% of the total number of similar campaigns in the entirety of 2020. As many as 2,000 organizations were targeted in each of the Italian-language campaigns.
TA544 is a cybercriminal threat actor that distributes banking malware and other payloads in various geographic regions including Italy and Japan. Proofpoint has tracked this actor since 2017. Typically, this group varies its payloads which appear to be targeted by region – for example, in 2021, all TA544 Ursnif campaigns have specifically targeted Italian organizations while Dridex payloads associated with this threat actor do not have specific geographic targeting.
Ursnif is a trojan that can be used to steal data from websites, with the help of web injections, proxies and VNC connections; steal data such as stored passwords; and download updates, modules, or other malware. Although this malware is used by multiple cybercriminal threat actors, TA544’s activity targeting Italy differentiates it from other actors. Between January and August 2021, the number of observed Ursnif campaigns impacting Italian organizations surpassed the total number of observed Ursnif campaigns targeting this region in all of 2020.
