The zip attachment of the "PURCHASE ORDER" email contains a bat file. This runs a PS, which infects the machine with malware. The stolen data is exfiltrated via SMTP.
Cybercrime, Italy hit by a huge Urnisf/Gozi “energy adaptation” campaign
Technical analysis by the Malware Hunter JAMESWT
Italy is suffering a huge Ursnif/Gozi campaign via fake Revenue Agency emails and alleged measures on energy adaptation. They all come from “.casa” domains. The attachment, different for each message, contains xlsb. It, if opened, contacts a DLL which starts malware infection
Italy is suffering a huge Ursnif/Gozi campaign via fake Revenue Agency emails and alleged measures on energy adaptation. The common denominator is that all messages come from “.casa” domains. The objects, on the other hand, vary: from “the organs of the Revenue Agency” to “Parliamentary supervisory commission on the tax registry” or “on the tax register”. The texts also vary slightly, but the concept expressed is the same. The attachment, a compressed document in zip format is different for each email and contains an xlsb file. This, if opened, contacts a malicious link from an internal list and downloads a DLL, which starts the malware infection. The process is carried out, however, as long as there is only one condition: that is, that the IP from which the DLL is downloaded is from our country. This also confirms today that cybercrime is specifically targeting Italy. Ursnif / Gozi is a banking Trojan, capable of intercepting network traffic, stealing credentials and downloading other malware.
An example of the fake Revenue Agency emails
The xlsb document
The internal list of links contacted to download the DLL
IOCS dll domain and C2
The objects of the emails and the domains of origin of the messages