The well-known Gozi bank Trojan, also known as ISFB or Ursnif, was first discovered in 2007. In the past ten years, it has remained active and is considered to be one of the longest bank Trojans ever discovered.
Gozi has leaked its source code several times during its development history, which has enabled the powerful features of the Gozi code base to be integrated into other malwares, such as stealing the multi-million dollar Trojan virus GozNym from a North American bank in 2016.
After the GozNym theft, the Talos team of Cisco’s cybersecurity department has been monitoring malicious activities related to Gozi. Based on the monitoring results based on the most recent six months, the Talos team found that Gozi is still active, even adopting new technologies in recent activities, such as using the “Dark Cloud” botnet for distribution.
The Talos team has discovered several unusual Gozi distributions in the past few months. The attackers did not choose to send large numbers of spam emails to many target organizations at the same time. Instead, the attackers appear to be targeted. Not only that, these e-mails have also been carefully designed to escape detection and are more convincing.
In addition, the attacker not only allows the distribution and command and control (C&C) infrastructure to be active for only a short period of time but also quickly moves to a new domain name and IP address. All of this will make it more difficult for investigators to analyze their activities and malware samples.
Spam emails use Microsoft Word documents as attachments. When opened, the file displays a decoy image that looks like it was created using Office 365. It prompts the recipient to “Enable editing” and then “Enable content” to see the content.
If the recipient chooses to do so, a malicious macro embedded in the Word document will execute and download and run the malware on the attacker-controlled server.
The final malware will vary according to the specific activity. The vast majority are banking Trojans based on the Gozi code base, and some belong to other malware families such as CryptoShuffler, Sennoma, and SpyEye.
Based on an analysis of the infrastructure used by the Dark Cloud botnet, the Talos team found that most systems were located in Eastern Europe, Asia, and the Middle East.
The Talos team concluded that as a bank cryptovirus, Gozi is widely used worldwide to attack organizations around the world. It has been around for more than 10 years, and according to its ongoing list of activities, it will not disappear soon. Attackers are continuing to improve their technology and find effective new ways to confuse their malicious server infrastructure, trying to make analysis and tracking more difficult.
Source, Image: talosintelligence
