The email xls attachment contacts a single link and downloads the dll, activating the malware infection. Provided that the IP is Italian and not on the blacklist.
Technical analysis by the Malware Hunter JAMESWT
The Revenue Agency is the lure for the third Ursnif / Gozi campaign in Italy in just one day. The email xlsb attachment contacts a url (different in each message) and downloads the dll, which starts the malware infection
Third Ursnif / Gozi campaign in Italy in just one day: the bait this time is the Revenue Agency. In the previous ones, however, they were a real stolen email conversation and a fake BRT invoice. The email compressed attachment in zip format, protected by a password (provided in the message), contains an xlsb file.
This, if opened, contacts a url (different for each message) and downloads the dll, which starts the malware infection. The campaign, like the other two, specifically targets the country. The DLL, in fact, is downloaded only if the IPs are Italian. Moreover, the urls are active from 06: 30/7: 00 this morning, even if the emails were sent earlier. Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware.