Maze Ransomware Attacks Italy in New Email Campaign

The Maze Ransomware is conducting a new spam campaign that targets Italian users by pretending to be the country’s Tax and Revenue Agency.

The Maze Ransomware is not a new infection, but within the past month it has been picking up steam with new campaigns, partnering with exploit kits, and inserting playful comments targeting researchers in their executables.

According to security researcher JAMESWT, users in Italy are being targeted with spam emails pretending to be from the Italian Revenue Agency, or the Agenzia delle Entrate, which is responsible for collecting taxes and revenue for the government.

These emails contain a subject of “AGGIORNAMENTO: Attivita di contrasto all’evasione. Aggiornamento” and contain a word document called “VERDI.doc”, which allegedly contains new guidelines that businesses and citizens must follow.

Spam Email
Spam Email

The text in Italian for these emails is:

Ciao, 

Si invitano tutte le persone fisiche e giuridiche a visionare e seguire con rigore Le Linee Guida fornite dall'Agenzia delle Entrate (in allegato).
E sufficiente seguire le indicazioni per evitare di essere segnalato dal sistema come un soggetto "a rischio" dopo il primo controllo basato sul c.d. "redditometro".
Il materiale da consultare (Le Linee Guida) viene consigliato specialmente ai soggetti che utilizzano i servici telematici finanziari (es. Internet Banking).

Nell'ambito dell'attivita di controllo nei confronti delle persone fisiche e giuridiche, nel 2019 e stata data attuazione alla normativa prevista dall'art. 38, commi quarto e seguenti del D.P.R. n.600/73 e dal D.M. 24 dicembre 2018 (il cosiddetto Redditometro).

A questo riguardo e ststo predisposto il nuovo applicativo informatico "VE.R.DI.", destinato alle attivita di analisi del rischio sulle persone fisiche e di ausilio alla daterminazione sintetica del reddito.

Si tratta di uno strumento innovativo che sara oggetto di implementazioni e miglioramenti volti ad ottimizzarne le funzionalita.

This translates to English as:

Hello,

All natural and legal persons are invited to view and strictly follow the Guidelines provided by the Revenue Agency (attached).
It is sufficient to follow the indications to avoid being signaled by the system as a subject "at risk" after the first check based on the c.d. "Redditometro".
The material to be consulted (The Guidelines) is especially recommended for those who use financial telematic services (eg Internet Banking).

As part of the control activity for natural and legal persons, in 2019 the legislation provided for by art. 38, fourth and following paragraphs of the D.P.R. n.600 / 73 and by the D.M. 24 December 2018 (the so-called Redditometro).

In this regard, the new IT application "VE.R.DI." is designed for risk analysis activities on individuals and aids in summarizing income.

It is an innovative tool that will be subject to implementations and improvements aimed at optimizing its functionality.

If a user opens the attached VERDI.doc they will be told that the file is encrypted using RSA encryption and that they must “Enable Content” in order to properly view it.

Read more: https://www.bleepingcomputer.com/news/security/maze-ransomware-attacks-italy-in-new-email-campaign/