Files packaged with Excel-DNA from which a dll containing 2 urls pointing to Discord is extracted. These download data files and encode them with XOR creating additional DLLs, which initiate the malware infection.
Malware Hunter JAMESWT Technical Analysis
New wave of the Ursnif / Gozi campaign in Italy via BR. The xlsm attachment contacts a single url from which it downloads the dll, starting malware infection. But only from Italian IPs and if they are not blacklisted
New wave of the Ursnif / Gozi campaign in Italy via BRT.
The email xlsm attachment, if opened, contacts a single url from which it downloads the dll, starting the malware infection.
Moreover, the cybercrime attack is explicitly directed against the country. The DLL, in fact, is unloaded only if only if three conditions are met:
The IP must be Italian;
The IP must not be blacklisted;
The DLL must not have already been downloaded.
Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware. The campaign is identical to those that hit our country on April 7, in May (on 4, 11 and 31) and on June 22.
The C2 of malware