Although security researchers have just discovered it, the campaign has been active since 2016. It is suspected to be an Italian group behind it because the C2 servers are from Italy, as well as the file names and scripts being in Italian. Desktop and mobile systems were both being targeted in the campaign. For Windows systems, spam emails are received which redirect users to a fraudulent page that urges them to update their Java components. If the update button is clicked on the site, it will download a BAT file that has two parts. Initially admin privileges are requested and then the second portion downloads the malware. A couple of other malicious URLs were also placed within the source code. As far as Android, Linux, and MacOS, the functionality was all the same, but each was modified slightly to aid the deployment of the malware on each system. Although the campaign is relatively new, researchers believe it could develop at a rapid pace in the near future. Researchers made a comment stating, “Behind the lack of professional infrastructure, the ‘hiding in plain sight’ strategy, the developer’s comments, the drafted malware code analyzed and the speculations about the possible amateur nature of this actor, we are in front of a long-running espionage operation.”
Analyst Notes
Users should consider spending money on a good anti-virus program and although they are not fool proof, they are an added layer of security that make it more difficult for malware to make its way into a system. Emails should also be monitored for anything from a suspicious sender. If these types of emails are received, users should not click on the links within them.
