skip to Main Content

Cybercrime, fake BRT shipment brings Ursnif / Gozi to Italy

Technical Analysis by the Malware Hunter JAMESWT

False BRT shipment carries Ursnif / Gozi to Italy. The email xls contacts a single link and downloads the dll, starting the malware infection chain. But only from Italian IPs and not on the blacklist

A fake BRT shipment is still the lure for an Ursnif / Gozi campaign in Italy.

Once opened, the email xls attachment contacts a single link and downloads the dll, starting the malware infection chain.

This, however, only occurs if the potential victim uses Internet Explorer. Moreover, the attack is explicitly directed against Italy. The DLL, in fact, is downloaded only if only if two conditions are met:

  • The IP must be Italian;
  • The IP must not be blacklisted.

Ursnif / Gozi is a banking Trojan used by cybercrime to intercept network traffic, steal credentials and download other malware.

Malware C2

Back To Top