Technical analysis by the Malware Hunter JAMESWT

Cybercrime, new Ursnif / Gozi campaign in Italy with IcedID template. The attack is part of the TA551 (Shathak) offensive. The doc file in the email zip attachment contacts a url to download the dll and start the malware infection

The malspam campaign that conveys Ursnif / Gozi with the IcedID template is back in Italy.

The email, which uses real stolen conversations (limited to subject and signature), contains a password-protected zip attachment (provided in the text) with a doc file inside.

This, if opened, contacts a single url and downloads the dll, which starts the malware infection.

The cybercrime attack specifically targets Italy, as the dll can only be downloaded from local IPs. It is also part of the TA551 campaign (aka Shathak). In the past, this has conveyed Ursnif / Gozi and the info-stealer Valak, to switch to IcedID in January 2021.

Malware’s C2