In the last weeks, a new variant of the infamous
Ursnif malware was discovered hitting Italian users through a malspam campaign. In fact, Yoroi-Cybaze ZLAB isolated several malicious emails having the following content:
- Subject: “VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA”
- Attachment: “GR930495-30495.zip”
The content of the attachment is a .js file and when it is launched, starts the infection by downloading other components from the Internet.
The Dropper
The initial dropper is an obfuscated javascript. Once run, it generates a lot of noisy internet traffic with the purpose to harden the detection of the real malicious infrastructures; as we can see from the following figures, the script contains a series of random-looking URLs it unsuccessfully tries to connect to, generating a huge volume of noise into the analysis environment.