skip to Main Content

Cybercrime, Ursnif/Gozi exploits again BRT for a campaign in Italy

Technical analysis by the Malware Hunter JAMESWT

Cybercrime, Ursnif/Gozi exploits again BRT for a campaign in Italy. The xlsm attachment contacts a single url from which it downloads the dll, which starts the malware infection. But only from Italian IPs and if they are not blacklisted

Ursnif / Gozi goes back to hiding behind a fake BRT invoice in a new campaign in Italy.

The xlsm mail attachment, if opened, contacts a single url from which it downloads the dll, starting the malware infection.

Moreover, the cybercrime attack is targeted. The DLL, in fact, is downloaded only if only if three conditions are met:

  • The IP must be Italian;
  • The IP must not be blacklisted;
  • The DLL must not have already been downloaded.

Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware. The campaign is identical to those that hit our country on 7 April, 4 and 11 May.

Malware’s C2

Back To Top