skip to Main Content

Cybercrime, new Ursnif / Gozi campaign in Italy via INPS

Technical analysis by the Malware Hunter JAMESWT

Ursnif / Gozi in Italy is spread with an INPS themed campaign. The text of the message is poorly written, but it is still dangerous. The xls attachment contacts specific URLs from which a DLL is downloaded infecting the victim’s PC

Ursnif / Gozi returns to Italy, taking advantage of the INPS bait. In the last few hours, emails have been circulating (1,2), bearing the signature of a real manager of the Institute and referring to the non-acceptance of a theoretical request. The victim is invited to consult the attached documentation. The text contains a number of grammar and syntax errors, a sign that the cybercrime actors behind the campaign probably used an automatic translator. The danger, however, is real. The attachment, in fact, is an xls file (different for each email) which, once opened, requests the password (present in the message) and contacts the only url contained within. So far, based on all the messages received, these are four:

http: //link.fixuppropertysolutions [.com / major.dll

http: //service.21stcenturyleadersawards [.org / import.dll

http: //stats.21stcentury-leadership [.org / major.dll

http: //log.whateverittakesdoc [.org / important.dll

From the url, a DLL is then downloaded to the user’s computer, which then starts the malware infection chain.

The INPS bait had already been used two weeks ago by cybercrime to convey malware, with a campaign that specifically targets Italy

This latest Ursnif / Gozi campaign is specifically aimed against the country. The DLL, in fact, can only be downloaded from Italian IPs, even if sometimes the links are reachable from IPs outside in other countries. Furthermore, the INPS-themed attack is not new. In fact, cyber criminals had used the same bait and type of infection chain two weeks ago to distribute the banking Trojan. In that case, the text changed, which referred to alleged discrepancies on the payments of social security contributions.

Two examples of the malicious email

The xls document that contacts the url from which the DLL is downloaded

DNS HTTP/HTTPS requests / Connection


Back To Top