2 mails with different gz attachment contain the same chm file. This downloads and launches the malware. Stolen data is exfiltrated thanks to the FTP of a Bosnian company.
Malware Hunter JAMESWT Technical Analysis
New Ursnif / Gozi campaign in Italy, exploiting a fake BRT expedition. The email xls attachment contacts a single link and downloads the dll, which activates the infection of the malware. Provided that the IP is Italian and not on the blacklist
New Ursnif / Gozi campaign in Italy through a fake BRT expedition.
The email xls attachment, if opened, contacts a single link from which the malicious dll is downloaded, triggering the malware infection.
This, however, provided, that the potential victim uses Internet Explorer. Moreover, the cybercrime attack is explicitly directed against Italy. The DLL, in fact, is downloaded only if only if two conditions are met:
- The IP must be Italian;
- The IP must not be blacklisted.
Ursnif / Gozi is a banking Trojan used by cybercrime to intercept network traffic, steal credentials and download other malware.