Files packaged with Excel-DNA from which a dll containing 2 urls pointing to Discord is extracted. These download data files and encode them with XOR creating additional DLLs, which initiate the malware infection.
Technical analysis by the Malware Hunter JAMESWT
Cybercrime, Ursnif/Gozi exploits again BRT for a campaign in Italy. The xlsm attachment contacts a single url from which it downloads the dll, which starts the malware infection. But only from Italian IPs and if they are not blacklisted
Ursnif / Gozi goes back to hiding behind a fake BRT invoice in a new campaign in Italy.
The xlsm mail attachment, if opened, contacts a single url from which it downloads the dll, starting the malware infection.
Moreover, the cybercrime attack is targeted. The DLL, in fact, is downloaded only if only if three conditions are met:
- The IP must be Italian;
- The IP must not be blacklisted;
- The DLL must not have already been downloaded.
Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware. The campaign is identical to those that hit our country on 7 April, 4 and 11 May.