The rar attachment contains an exe file: the malware itself. Objective: to steal information from the victim.
Malware Hunter JAMESWT Technical Analysis
Ursnif / Gozi returns to Italy with a fake BRT email. The xls attachment contacts a single link and downloads the dll, which activates the malware infection. Provided that the IP is Italian and not on the blacklist
Ursnif / Gozi returns to Italy with a fake BRT courier mail about a shipment.
The xls attachment, if opened, contacts a single link and downloads the dll that triggers the malware infection.
Provided, however, that the potential victim uses Internet Explorer. Moreover, the cybercrime attack is explicitly directed against our country. The DLL, in fact, is unloaded only if only if two conditions are met:
The IP must be Italian;
The IP must not be blacklisted.
Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware.