Technical analysis by the Malware Hunter JAMESWT

Italy is suffering a huge Ursnif/Gozi campaign via fake Revenue Agency emails and alleged measures on energy adaptation. They all come from “.casa” domains. The attachment, different for each message, contains xlsb. It, if opened, contacts a DLL which starts malware infection

Italy is suffering a huge Ursnif/Gozi campaign via fake Revenue Agency emails and alleged measures on energy adaptation. The common denominator is that all messages come from “.casa” domains. The objects, on the other hand, vary: from “the organs of the Revenue Agency” to “Parliamentary supervisory commission on the tax registry” or “on the tax register”. The texts also vary slightly, but the concept expressed is the same. The attachment, a compressed document in zip format is different for each email and contains an xlsb file. This, if opened, contacts a malicious link from an internal list and downloads a DLL, which starts the malware infection. The process is carried out, however, as long as there is only one condition: that is, that the IP from which the DLL is downloaded is from our country. This also confirms today that cybercrime is specifically targeting Italy. Ursnif / Gozi is a banking Trojan, capable of intercepting network traffic, stealing credentials and downloading other malware.

An example of the fake Revenue Agency emails

The xlsb document

The internal list of links contacted to download the DLL

IOCS dll domain and C2

The objects of the emails and the domains of origin of the messages