Dreambot

Dreambot, also known as Ursnif and Gozi ISFB, is a malicious software (malware) designed to steal passwords and credentials, primarily targeting the banking and financial sectors. It has been described by threat researchers as "frighteningly lucrative," compared to the already profitable cybercrime market. The malware is distributed globally through various means such as exploit kits, email attachments, and links. It has been linked to several ransomware variants including Bad Rabbit, GandCrab, LockBit 2.0, and STOP/DJVU, and numerous other malware samples like BankBot, Godzilla, Nymaim, Pony Loader, Privateloader, and SmokeLoader. Dreambot's activities were first noted in 2016 with payload links identified on July 8th and August 11th of that year. In one instance, it was distributed via a Microsoft Word attachment in Poland on June 22, 2016. Dreambot's distribution vectors span across a variety of exploit kits and both malicious document attachment and URL-based email campaigns, making it one of the most active banking Trojans recently observed. The malware continues to evolve, with multiple versions seen spreading in the wild over the past few months. Notably, the Tor-enabled versions of Dreambot present an increased challenge for defenders and IT organizations due to their difficult detection at the network level. Furthermore, the actor behind Dreambot offers fast flux on infected computers in regions such as Asia, Africa, and the Middle East, causing difficulties in blocking content due to changing IP addresses. Threat researchers continue to monitor Dreambot and its growing list of capabilities as it remains in active development.