A zip attachment contains a img with an exe: the malware. The other, a pdf downloading a zip with an exe: the same malware. The data is exfiltrated via SMTP.
Cybercrime, Ursnif / Gozi back to Italy via Enel Energia
Technical analysis by the Malware Hunter JAMESWT
Ursnif / Gozi back to Italy via Enel Energia. The bait are false invoice offsetts. The xls attachment contacts single link from which it downloads the dll, starting the malware infection. But only from Italian IPs
Ursnif / Gozi returns to Italy with a fake email from Enel Energia, which this time uses invoice offsets as bait.
The message contains an xls attachment which, if opened, contacts a single link from which the malicious dll is downloaded, triggering the malware infection. This, provided that the potential victim uses Internet Explorer and that the IP is Italian (unlike previous campaigns on Enel Energia, the blacklist is missing). Ursnif / Gozi is a banking Trojan used by cybercrime to intercept network traffic, steal credentials and download other malware.