Reversing Labs cybersecurity experts: Who opened the malicious Word attachment is required to make multiple, additional clicks to activate the embedded malware.
Technical analysis by the Malware Hunter JAMESWT
Another Ursnif / Gozi campaign in Italy via false BRT invoice. The email xlsm attachment contacts single url from which it downloads the dll, which starts malware infection. But only from Italian IPs and if they are not blacklisted
Ursnif / Gozi returns to Italy with a courier-themed campaign and an email on a fake BRT invoice.
The xlsm attachment, if opened, contacts a single url from which it downloads the dll, starting the malware infection.
Moreover, the cybercrime attack is explicitly directed against the country. The DLL, in fact, is downloaded only if only if three conditions are met:
- The IP must be Italian;
- The IP must not be blacklisted;
- The DLL must not have already been downloaded.
Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware. The campaign is identical to those that hit our country on May 4th and April 7th.