Tecnica analysis by the Malware Hunter JAMESWT

Ursnif / Gozi campaign in Italy via fake Findomestic email. The xlsb attachment contacts a single url from which it downloads the dll, which starts the infection of the malware. But only if the IP is Italian

False Findomestic email conveys the new Ursnif / Gozi campaign in Italy.

The xlsb attachment contacts a single url from which it downloads the dll, which starts the malware infection.

The download of the dll, however, starts only if the IP is Italian. Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware.

Malware’s C2