skip to Main Content

Cybercrime, Ursnif/Gozi uses real compromised emails in the campaign in Italy

The Ursnif / Gozi campaign in Italy now goes through real compromised business emails. The cybercrime message contains a password-protected compressed attachment with a doc file inside. This contacts a link and downloads the dll that starts the malware infection

Ursnif / Gozi changes strategy to spread to Italy and now uses real compromised email accounts. Malware Hunter JAMESWT has discovered some messages, coming from companies in our country (immediately alerted), which contain a password protected compressed attachment. Inside there is a doc file which, if opened, contacts a url (different in any document) to download the dll, which will start the malware infection. At the moment, however, this is downloaded only if the IP is Italian. Also, downloading from the same IP can only be done once. This, in fact, is then put in a black list. Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware.

The emails sent from compromised company accounts

The doc file in the password-protected attachment

The Ursnif/Gozi dll’s C2s

Back To Top