Technical analysis by the Malware Hunter JAMESWT

The latest Ursnif campaign in Italy uses MEF and MISE. The bait is the reopening of commercial activities for the Covid-19 emergency. The xlsb attachment contacts a single link and downloads a DLL that starts the malware infection

Ursnif / Gozi takes advantage of the Ministry of Economy and Finance (MEF) and that of Economic Development (MISE) for its latest campaign in Italy. The bait is the gradual reopening of economic and commercial activities following the Covid-19 emergency. In the emails, the potential victim is invited to immediately check the latest attached provisions. The compressed document in zip format contains an xlsb file, different for each message, which if opened contacts a single link (at the moment there are 5 in total) that downloads a DLL (it changes every few hours), which starts the chain of malware infection. The process is carried out, however, as long as there is only one condition: that is, that the IP from which the DLL is downloaded is from the country. This confirms, as in the previous cases of the Institutions-themed campaigns, that cybercrime specifically targets Italy. Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware. Moreover, for today’s campaign about 200 domains have been opened in the past hours. They are correctly configured in order to evade the anti spam and anti virus filters.

The false MEF and MISE emails

The xlsb attachment

The links list

DNS HTTP/HTTPS requests / Connection