The email GZ attachment contains a password-protected zip (not provided in the text), with an exe inside: the malware itself. It is not known what the next payload is.
Technical analysis by the Malware Hunter JAMESWT
The latest Ursnif campaign in Italy uses MEF and MISE. The bait is the reopening of commercial activities for the Covid-19 emergency. The xlsb attachment contacts a single link and downloads a DLL that starts the malware infection
Ursnif / Gozi takes advantage of the Ministry of Economy and Finance (MEF) and that of Economic Development (MISE) for its latest campaign in Italy. The bait is the gradual reopening of economic and commercial activities following the Covid-19 emergency. In the emails, the potential victim is invited to immediately check the latest attached provisions. The compressed document in zip format contains an xlsb file, different for each message, which if opened contacts a single link (at the moment there are 5 in total) that downloads a DLL (it changes every few hours), which starts the chain of malware infection. The process is carried out, however, as long as there is only one condition: that is, that the IP from which the DLL is downloaded is from the country. This confirms, as in the previous cases of the Institutions-themed campaigns, that cybercrime specifically targets Italy. Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware. Moreover, for today’s campaign about 200 domains have been opened in the past hours. They are correctly configured in order to evade the anti spam and anti virus filters.
The false MEF and MISE emails
The xlsb attachment
The links list
DNS HTTP/HTTPS requests / Connection