Op. "Pistacchietto": An Italian Job (Mar 6, 2019)
Yoroi researchers observed a new campaign, dubbed "Operation Pistacchietto," targeting organisations in Italy with multiple specific malwares. The campaign begins as a fake Java page that requests the user update their Java version to continuing surfing the internet. It provides a link to the "update" that downloads a .bat file, and begins to install malicious code. The malicious script is made up of two parts: the first part fools users into allowing the code administrative privileges, whilst the second part downloads additional components and obtains persistence by using the Windows Task Scheduler. Before the second part of the script downloads additional components, it checks the machine's architecture to download the correct backdoor malware for the machine. The malicious file is able to bypass antivirus detection because the signature changes every time. On top of installing a backdoor specific to the machine's operating system, the malware is able to install the Android Remote Access Trojan (RAT) "AhMyth Android Rat" if it determines it is on an Android mobile.
Recommendation: It is currently unclear what the purpose of this campaign is, but it emphasises the importance of being vigilant when surfing the web and coming across a basic webpage that requests the user to download an update. Ensure that your company's firewall blocks all entry points for unauthorised users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.