skip to Main Content

Cybercrime, the Revenue Agency lure for the third Ursnif / Gozi campaign in Italy in one day

Technical analysis by the Malware Hunter JAMESWT

The Revenue Agency is the lure for the third Ursnif / Gozi campaign in Italy in just one day. The email xlsb attachment contacts a url (different in each message) and downloads the dll, which starts the malware infection

Third Ursnif / Gozi campaign in Italy in just one day: the bait this time is the Revenue Agency. In the previous ones, however, they were a real stolen email conversation and a fake BRT invoice. The email compressed attachment in zip format, protected by a password (provided in the message), contains an xlsb file.

This, if opened, contacts a url (different for each message) and downloads the dll, which starts the malware infection. The campaign, like the other two, specifically targets the country. The DLL, in fact, is downloaded only if the IPs are Italian. Moreover, the urls are active from 06: 30/7: 00 this morning, even if the emails were sent earlier. Ursnif / Gozi is a banking Trojan capable of intercepting network traffic, stealing credentials and downloading other malware.

The Url in the xlsb files cell

The first malicious xlsb files, with the actual dates and times they were created in green

The list from which the xlsbs download the dll

The malware C2s

Back To Top