skip to Main Content

Cybercrime, new Ursnif/Gozi campaign in Italy via false BRT invoice

Technical analysis by the Malware Hunter JAMESWT

Another Ursnif / Gozi campaign in Italy via false BRT invoice. The email xlsm attachment contacts single url from which it downloads the dll, which starts malware infection. But only from Italian IPs and if they are not blacklisted

Ursnif / Gozi returns to Italy with a courier-themed campaign and an email on a fake BRT invoice.


The xlsm attachment, if opened, contacts a single url from which it downloads the dll, starting the malware infection.

Moreover, the cybercrime attack is explicitly directed against the country. The DLL, in fact, is downloaded only if only if three conditions are met:

  • The IP must be Italian;
  • The IP must not be blacklisted;
  • The DLL must not have already been downloaded.

Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware. The campaign is identical to those that hit our country on May 4th and April 7th.

Malware’s C2

Back To Top