A malware downloader is spoofing Italian organizations, including the tax agency, to deliver a banking Trojan to target Italian companies, said researchers.
Proofpoint calls the downloader WikiLoader. It said in a post on Monday that it uses multiple mechanisms to evade detection. The financially motivated threat actor behind it, which Proofpoint tracks as TA544, likely developed WikiLoader with an eye to renting it to “select cybercriminal threat actors.” The loader ultimately leads to the Ursnif banking Trojan, one of two Trojans favored by TA544.