Light Dark
October 7, 2019 By David Bisson 2 min read

Attackers are leveraging certified emails to target Italian users with samples of the sLoad malware family.

According to Cybaze-Yoroi ZLAB, the sLoad campaign began when criminals used certified emails to target Italian organizations and consultants affiliated with professional associations. Known as posta elettronica certificata (PEC) in Italy, certified emails are essentially normal email messages that come with an added guarantee of the sender’s identity. This verification lulled recipients into a false sense of security and tricked them into opening the attached .ZIP file.

Once opened, unlike previous attack campaigns, the .ZIP archive didn’t hide PowerShell code. Instead, it contained a corrupted PDF document and a VBS script. The first item attempted to trick the recipient that all was well so that they would run the script. If they complied, the script launched a PowerShell script retrieved from the attackers’ infrastructure that downloaded a malicious .JPG using bitsadmin.exe. This technique helped the campaign evade detection from AV tools while the image file loaded another PowerShell script that established persistence on the infected machine and used a series of other commands to download the final payload.

A Wave of Attacks Exploiting Posta Elettronica Certificata (PEC)

The sLoad operation isn’t the first attack campaign to involve certified email in some way. In January 2017, My Online Security detected a malspam campaign that used “posta certifica” in the subject line and body of its attack emails. Approximately two years later, researchers at ESET observed DanaBot combing through victims’ inboxes for emails specifically containing the substring “pec,” presumably in an effort to target corporate and public administration emails. Then, in April 2019, Cisco Talos discovered attackers pairing PEC with the JasperLoader downloader to target Italians with the Gootkit banking Trojan.

Help Defend Against sLoad Malware

Security professionals can help their organizations defend against sLoad by moving systems away from a model of escalated privilege access and toward one of least privilege through access management, multifactor authentication (MFA) and other security controls. Employee security awareness training, along with sophisticated security information and event management (SIEM) tools, can help organizations detect and defend against PowerShell attacks.

 |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

July 26, 2024

test img

8 min read - What is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and…

July 26, 2024

img test

7 min read - test imgWhat is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature