Malware Hunter JAMESWT Technical Analysis

New Ursnif / Gozi campaign in Italy, exploiting a fake BRT expedition. The email xls attachment contacts a single link and downloads the dll, which activates the infection of the malware. Provided that the IP is Italian and not on the blacklist

New Ursnif / Gozi campaign in Italy through a fake BRT expedition.

The email xls attachment, if opened, contacts a single link from which the malicious dll is downloaded, triggering the malware infection.

This, however, provided, that the potential victim uses Internet Explorer. Moreover, the cybercrime attack is explicitly directed against Italy. The DLL, in fact, is downloaded only if only if two conditions are met:

• The IP must be Italian;
• The IP must not be blacklisted.

Ursnif / Gozi is a banking Trojan used by cybercrime to intercept network traffic, steal credentials and download other malware.

Malware C2