The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cybercrime, Ursnif / Gozi back to Italy with a fake BRT courier email
Malware Hunter JAMESWT Technical Analysis
Ursnif / Gozi returns to Italy with a fake BRT email. The xls attachment contacts a single link and downloads the dll, which activates the malware infection. Provided that the IP is Italian and not on the blacklist
Ursnif / Gozi returns to Italy with a fake BRT courier mail about a shipment.
The xls attachment, if opened, contacts a single link and downloads the dll that triggers the malware infection.
Provided, however, that the potential victim uses Internet Explorer. Moreover, the cybercrime attack is explicitly directed against our country. The DLL, in fact, is unloaded only if only if two conditions are met:
The IP must be Italian;
The IP must not be blacklisted.
Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware.