Safe Breach Labs cybersecurity experts: The threat actor infects victims via Farsi phishing emails with a PowerShell stealer malware.
Technical analysis by the Malware Hunter JAMESWT
Ursnif / Gozi in Italy is spread with an INPS themed campaign. The text of the message is poorly written, but it is still dangerous. The xls attachment contacts specific URLs from which a DLL is downloaded infecting the victim’s PC
Ursnif / Gozi returns to Italy, taking advantage of the INPS bait. In the last few hours, emails have been circulating (1,2), bearing the signature of a real manager of the Institute and referring to the non-acceptance of a theoretical request. The victim is invited to consult the attached documentation. The text contains a number of grammar and syntax errors, a sign that the cybercrime actors behind the campaign probably used an automatic translator. The danger, however, is real. The attachment, in fact, is an xls file (different for each email) which, once opened, requests the password (present in the message) and contacts the only url contained within. So far, based on all the messages received, these are four:
http: //link.fixuppropertysolutions [.com / major.dll
http: //service.21stcenturyleadersawards [.org / import.dll
http: //stats.21stcentury-leadership [.org / major.dll
http: //log.whateverittakesdoc [.org / important.dll
From the url, a DLL is then downloaded to the user’s computer, which then starts the malware infection chain.
The INPS bait had already been used two weeks ago by cybercrime to convey malware, with a campaign that specifically targets Italy
This latest Ursnif / Gozi campaign is specifically aimed against the country. The DLL, in fact, can only be downloaded from Italian IPs, even if sometimes the links are reachable from IPs outside in other countries. Furthermore, the INPS-themed attack is not new. In fact, cyber criminals had used the same bait and type of infection chain two weeks ago to distribute the banking Trojan. In that case, the text changed, which referred to alleged discrepancies on the payments of social security contributions.
Two examples of the malicious email
The xls document that contacts the url from which the DLL is downloaded
DNS HTTP/HTTPS requests / Connection