skip to Main Content

Cybercrime, Ursnif / Gozi is now delivered with the IcedID template

Tecnical analysis by the Malware Hunter JAMESWT

Ursnif / Gozi is now delivered with the IcedID template. The attack is part of the TA551 (Shathak) campaign. The xlsm file in the email zip attachment contacts internal URLs to download the dll and start the malware infection

Ursnif / Gozi now uses the IcedID template to spread. The xlsm file, contained in the email zip attachment, contacts a series of urls from an internal list to download the dll, which starts the malware infection chain.

Moreover, the cybercrime attack is part of the TA551 campaign (aka Shathak). In the past, this has conveyed Ursnif / Gozi and the info-stealer Valak, to switch to IcedID in January 2021. In this case it seems, in fact, that the systems of the two Trojans were mixed.

C2s and Ursnif/Gozi configuration

Back To Top