The email attachment contains an exe file, the malware itself, which downloads other payloads. At the moment, however, it is not known what they are.
The Ursnif / Gozi campaign in Italy now goes through real compromised business emails. The cybercrime message contains a password-protected compressed attachment with a doc file inside. This contacts a link and downloads the dll that starts the malware infection
Ursnif / Gozi changes strategy to spread to Italy and now uses real compromised email accounts. Malware Hunter JAMESWT has discovered some messages, coming from companies in our country (immediately alerted), which contain a password protected compressed attachment. Inside there is a doc file which, if opened, contacts a url (different in any document) to download the dll, which will start the malware infection. At the moment, however, this is downloaded only if the IP is Italian. Also, downloading from the same IP can only be done once. This, in fact, is then put in a black list. Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware.
The emails sent from compromised company accounts