skip to Main Content

Cybercrime, Italy hit by a continous Ursif/Gozi offensive

Technical analysis by the Malware Hunter JAMESWT

Italy hit by a continous Ursif/Gozi cybercrime offensive. Institutions leveraged in daily-based campaigns. Last one exploits INPS. An xls attachment, different for each message, contacts a single link and downloads a DLL that activates malware infection

Italy is under a huge and continuos Ursnif/Gozi offensive for almost a year now. Cybercrime actors leverage institutions as ministries and National Social Welfare Institute (INPS) to spread daily-based campaigns. Last one, that involves INPS, exploits a fake contentious about contributions and an xls attachment, different for each message. This one, if opened, contacts a single link and downloads a DLL that activates the malware infection chain. Yesterday the lures were also Ministry of Economic Development (MISE) and Covid-19 emergency. Furthermore, the attacks target explicitly Italy. This is because the links download the DLL only if contacted by Italian IPs. Ursnif / Gozi is a banking Trojan, capable of intercepting network traffic, stealing credentials and downloading other malware.

The malicious mail about the Italian MISE and Covid-19 emergency

The last INPS campaign mail

the fake xls attachment

The links to download the DLL

DNS HTTP/HTTPS requests / Connection

The C2s contacted by the malware

The malware family attribution

 

Back To Top