TG Soft Software House - Vir.IT eXplorer: AntiVirus, AntiSpyware and AntiMalware
Detects viruses and malwareIdentifies polymorphic viruses thanks to DEEP SCANMacro Virus AnalyzerINTRUSION DETECTION TechnologyVirus/malware removal toolsInstallation on Active Directory16/32/64 bit Real-Time ProtectionVir.IT Scan MailVir.IT Console Client/ServerVir.IT WebFilter ProtectionAutomatic Live-UpdateVir.IT Personal FirewallItalian Tech SupportAntiMalware Reserch Center


Submit suspicious file
fb rss linkedin twitter

ICSA Lab

Vir.IT eXplorer PRO pass the test VB100 2017-04

AMTSO

OpsWat

EICAR Membro SERIT - SEcurity Research in ITaly

06/03/2017 14:34:49 - Operation "Orziveccho": Italian municipalities are under attack !!!  Massive diffusion of spear phishing against italian municipalities. Who is spying Italy ?




[update of 03/09/2017]

TG Soft's Research Centre (C.R.A.M.) has observed between 4th and 7th march a spear phishing attack against the Italian municipalities by sending mails containing infected attachments.
The campaign of spear phishing that has as target the Italian municipalities was dubbed  "Orziveccho".
 

CONTENTS

==> How Orziveccho spreads
 
==> Running of Orziveccho

==> Command & Control

==> Remove Orziveccho

==> Conclusions


Orziveccho uses a remote desktop to control the infected computers. In this case the victims are the italian municipalities, Orziveccho has the full access at computer and it can steal documents or reserved informations and spy the user.  

At first look of the malware Orziveccho isn't possible to determine the origin of the authors, and we can not yet say whether this is an attack on APT (Advanced Persistent Threat).
Certainly the spear phishing campaign realized against Italian Municipalities is built very well, where every detail isn't left to chance.
The IP addresses from they were sent the infected email may be located in Tallinn in Estonia or in the United States, instead the C&C domains used are found in Italy and in Toronto (Canada).

TG Soft's Research Centre (C.R.A.M.) has stimated as of today (7th march 2017),  that no less than 6.3% of Italian Municipalities has been infected from this Malware-Spy.  These data are subject to progressive updating on the basis of actual infection reporting that our Research Center will verify and record.

You can check the infection by  "Trojan.Win32.Orziveccho.A" with the free anti-virtus Vir.IT eXplorer Lite. To download you can proceed from the page http://www.tgsoft.it/italy/download.asp 

TG Soft's Research Centre (C.R.A.M.) has reputed to examine in depth the variant of Orziveccho that it hit a lot of italian Municipalities.


How Orziveccho spreads

Orziveccho spreads through email and its target are the Italian municipalities.
At this time the municipal offices may have received an email with the subject "Richiesta certificato"  infected by Orziveccho.

In the figure we can see the email infected by Orziveccho:

Interestingly, the email sender is a PEC address of another municipality.
The subject of message is "Richiesta certificato".



the body of the message has the following form:

Spett. le COMUNE,

si richiede cortesemente certificato storico di residenza
del soggetto con dati allegati, per accertamento irreperibiità.

Si ringrazia.

Cordiali saluti

Il Segretario Comunale

<nome della persona>

Comune di <nome del comune>
<indirizzo>
<recapiti telefonici>


Attachments:
  • Dati_Anagrafici_Per_Accertamento_Irreperibilita_ DE_JESUS_MILAGROS-BEROYA-FILIPPINE_ RP-DJSMGR73S51Z216Z.rtf.zip
  • Anagrafica.rtf.zip
The attachments have a double extension: .rtf.zip
Inside the respective zip file is present a file with name: <nome file zip>.rtf.vbe
example: Anagrafica.rtf.vbe

Filename:
Anagrafica.rtf.vbe
Size: 7.589 byte
MD5: 5D429355B4510AECFE27723FAFC6EAB2
Date: Tuesday 28 Febraury 2017, 23.28.04

The file
<nome file zip>.rtf.vbe is a VBScript file that is identified by VirIT eXplorer as infects by "Trojan.VBS.Orziveccho.D".




The email infected by "Orziveccho" are sent from the following pec addresses:
  • comunediburgio@pec.it 
  • info@pec.comune.sanvittoredellazio.fr.it
The municipalities in which the credentials of institutional PEC were compromised are:
  • Comune di Burgio
  • Comune di San Vittore del Lazio

From the analysis of the infected email, the IP addresses from which the infected mail were shipped may be located in Tallinn in Estonia, or in USA:
  • 104.160.19.236
  • 104.160.19.111

These IP addresses belong to the American provider CachedNet LLC, through the geolocation of the IP addresses they are located in Estonia or in USA.

Both the City of Burgio and the City of "San Vittore del Lazio" are working to solve the problem of compromised accounts.
The City of Burgio has signaled inside its website the
problem related to sending of infected emails:





Running of Orziveccho

The running the infected VBScript creates inside the folder "Documents" the file "Pratiche.rtf" with the request information:


At this point it is created "download.vbe" file in the Startup folder and then executed.
The file "download.vbe" tries to connect at the following domains:
  • 199[.]103[.]56[.]165
  • www[.]scuolaelementarediorziveccho[.]191[.]it
The first domain 199[.]103[.]56[.]165 is localized in Toronto (Canada), instead the second www[.]scuolaelementarediorziveccho[.]191[.]it is localized in Italy and is a domain registered by Tim Telecom Italia.

 

199[.]103[.]56[.]165

www[.]scuolaelementarediorziveccho[.]191[.]it




These domains are used as C&C server to donwload a file called "ORD-2020.txt", it contains the payload of malware.

Filename: ORD-2020.txt
Size: 3.309.187 byte
MD5: 271CA65D23F0DB9044E0F5B166FDD462

On 09/03/2017:
Filename: ORD-2020.txt
Size: 3.309.196 byte
MD5: D70CD766BD0796CFFCF3E32C5A8F9DAE


The file "ORD-2020.txt" is saved inside the startup folder under the name  "ORDINI.exe".
The file "ORDINI.exe" is a self extract RAR and it is identified by VirIT eXplorer as infects by "Trojan.Win32.Orziveccho.A"
Inside the file
"ORDINI.exe" we cann find the following file:
  • admin.vbe
  • NTR.msi
  • vai.vbe
Filename: admin.vbe
Size: 3.491 byte
MD5: DB5E6722916387E4968994C90A78C530

Filename: NTR.msi
Size: 3.872.768 byte
MD5: EC857EED2FFE74BE892E373312C20470

Filename: vai.vbe
Size: 3.346 byte
MD5: 93AF69B1F0D73589CB87E8E5586CEC73

On 09/03/2017:
Filename: NTR.msi
Size:
3.872.768 byte
MD5:
D205DAF0F8DF73F59C06091B4DCA76F3


Running the file "ORDINI.exe" involves the extraction of the above files and execution of VBScript files "vai.vbe". This file checks if your computer is already infected, otherwise run the "admin.vbe" file.

The file "admin.vbe" installs the package software NTR.msi with command:

msiexec.exe /package NTR.msi /quiet

that involves the silent installation of the software NTR.msi.

Inside the package NTR.msi you will find the software NTR Cloud (http://www.ntrglobal.com) for remote control of the PC, this package has been modified to match each installation infects with the account of the criminal who assumed to be: michel.piccoli@hotmail.com
In this way the criminal can connect at the site http://www.ntrglobal.com/it/freecloud/login with their credentials and he has the control of each infected computer.

The package NTR.msi has been modified to match every infected computer with the criminal account, as you can see from the digital signature.



The remote control software will be installed as a service:

Filename: NTRCloud
Description: NTR Cloud agent
Path: "C:\Program Files\NTR Global (an ASG company)\NTRCloud\agent.exe" NTRCloud

At this point at startup the computer will run the file:
  • download.vbe
  • C:\Program Files\NTR Global (an ASG company)\NTRCloud\agent.exe




Back on top




Command & Control


The victim's computer is controlled by the attacker through the service of "NTR Global" "C: \ Program Files \ NTR Global (an ASG company) \ NTRCloud \ agent.exe".
During the installation of the software "NTR Global" it is automatically matched to the account of the criminal. The attacker by logging on to http://www.ntrglobal.com/it/freecloud/login will have access to the computers of their victims to spy or steal confidential documents.

At startup it will run the file "download.vbe
", that it will try to connect to
:

  • 199[.]103[.]56[.]165
  • www[.]scuolaelementarediorziveccho[.]191[.]it


Here a simple communication system with C&Cl server, as well as performing a direct "upgrade" of the malware, it lets you to download "custom update" according to the following scheme: userName & separ & computerName & "/ORD-2020.txt" .
Where:

  • userName: user name
  • separ: "--"
  • computerName: computer name

 


Back on top
 


Remove Orziveccho

To see if the computer is infected by malware Orziveccho you can download the free version of VirIT eXplorer Lite: http://www.tgsoft.it/italy/download.asp

You can manually check for the presence of some infection indicators:

File:

  • C:\Users\<nome utente>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Download.vbe
  • C:\Program Files\NTR Global (an ASG company)\NTRCloud\agent.exe
Service:
  • NTRCloud

Manual remove:
  • delete the file: C:\Users\<nome utente>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Download.vbe
  • stop and disable the automatic start  of service: NTRCloud
To access at the services from "Start-> Run": services.msc

  

 

 


Back on top


 

 

Conclusions

The campaign of spear phishing of the malware "Orziveccho" with the target the italian municipalities seems to have been well organized. Between Saturday 4th and Tuesday 7th march, there was a massive sending of spear phishing emails with the subject of the message "Richiesta certificato" where both the sender and the recipient were Italian municipalities.
The information contained in the body of the message about the sender, as the name of the municipality,  address and contact person are real. This makes us think that the attack was well thought out and no detail has been left to chance.

Could make suspicious the certificate request for the person with the name "DE JESUS MILAGROS BEROYA" (the miracle of Jesus), although in the second email the attachment name was "Anagrafica.rtf.zip" and related to "DE JESUS MILAGROS BEROYA" was shown only in "pratiche.rtf "document to already occurred infection.

What are they looking for in the Italian Municipalities computer? Who is the director of this espionage attack?
For now we do not have enough information to answer these questions.
From the analysis of IP addresses we obtained the following geographic features:
  • Italy
  • Canada
  • Estonia / USA
but that does not allow us to make any assumptions.
From the analysis of the viral code, there are some elements that could indicate that the country assaulter is precisely Italy. In fact within the viral code it is used as temporary file "ORDINI.exe" file which is then deleted. Also within self-extracting RAR archive is the "vai.vbe" file, where "vai" is an italian word. Why use Italian terms for filenames after they are deleted?

We are not aware of how long are plotting this attack, but the site www[.]scuolaelementarediorziveccho[.]191[.]it has downloaded for 24h the "Orziveccho" malware from the afternoon of 6th march 2017. A very fast attack at the predetermined target.


Authors: Gianfranco Tonello, Federico Girotto
Centro Ricerche Anti-Malware di TG Soft

Back on top





Any information published on our website can be used and posted on other websites, blogs, forums, facebook and/or in any other form both on paper and electronically so long as you always cited source explicitly "Fonte: C.R.A.M. by TG Soft www.tgsoft.it"
fb rss linkedin twitter
 




Legal & Eula | Privacy | Uninstall

TG Soft S.a.s. - via Pitagora 11/B, 35030 Rubàno (PD), ITALY - C.F. e P.IVA 03296130283