Malware Hunter JAMESWT Technical Analysis

New wave of the Ursnif / Gozi campaign in Italy via BR. The xlsm attachment contacts a single url from which it downloads the dll, starting malware infection. But only from Italian IPs and if they are not blacklisted

New wave of the Ursnif / Gozi campaign in Italy via BRT.

The email xlsm attachment, if opened, contacts a single url from which it downloads the dll, starting the malware infection.

Moreover, the cybercrime attack is explicitly directed against the country. The DLL, in fact, is unloaded only if only if three conditions are met:

The IP must be Italian;

The IP must not be blacklisted;

The DLL must not have already been downloaded.

Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware. The campaign is identical to those that hit our country on April 7, in May (on 4, 11 and 31) and on June 22.

The C2 of malware

IOCS

Dll Url

https://consaltyng[.]com/

192.64.114.[.]87

C2

ghjakappoppepeodkd.]website

195.123.212[.]132

ping hteadclsspdkmdasd[.]live

185.186.245[.]22

dreamfjdjslkdskdn[.]website

31.214.157[.]207

185.186.246[.]95

185.212.47[.]181

HashList MD5

Xls

e6cba5de971230887f303317b18892c2

Xlsm

faf276a7f7aabafa22ff9f8fd92dc9c2

1a55c95079c30365da1c489b881c38ad

Dll

c33644c4f82a0c81ebc17e8c47ff2151