The xls attachment of the mail, also arrived in Italy, randomly contacts a link from an internal list and downloads the dll, starting the malware infection.
Technical analysis by the Malware Hunter JAMESWT
Italy hit by a continous Ursif/Gozi cybercrime offensive. Institutions leveraged in daily-based campaigns. Last one exploits INPS. An xls attachment, different for each message, contacts a single link and downloads a DLL that activates malware infection
Italy is under a huge and continuos Ursnif/Gozi offensive for almost a year now. Cybercrime actors leverage institutions as ministries and National Social Welfare Institute (INPS) to spread daily-based campaigns. Last one, that involves INPS, exploits a fake contentious about contributions and an xls attachment, different for each message. This one, if opened, contacts a single link and downloads a DLL that activates the malware infection chain. Yesterday the lures were also Ministry of Economic Development (MISE) and Covid-19 emergency. Furthermore, the attacks target explicitly Italy. This is because the links download the DLL only if contacted by Italian IPs. Ursnif / Gozi is a banking Trojan, capable of intercepting network traffic, stealing credentials and downloading other malware.
The malicious mail about the Italian MISE and Covid-19 emergency
The last INPS campaign mail
the fake xls attachment
The links to download the DLL
DNS HTTP/HTTPS requests / Connection
The C2s contacted by the malware
The malware family attribution