Technical analysis by the Malware Hunter JAMESWT

Ursnif / Gozi back to Italy via Enel Energia. The bait are false invoice offsetts. The xls attachment contacts single link from which it downloads the dll, starting the malware infection. But only from Italian IPs

Ursnif / Gozi returns to Italy with a fake email from Enel Energia, which this time uses invoice offsets as bait.

The message contains an xls attachment which, if opened, contacts a single link from which the malicious dll is downloaded, triggering the malware infection. This, provided that the potential victim uses Internet Explorer and that the IP is Italian (unlike previous campaigns on Enel Energia, the blacklist is missing). Ursnif / Gozi is a banking Trojan used by cybercrime to intercept network traffic, steal credentials and download other malware.

Malware C2