Gozi

Malware updated 7 months ago (2024-05-04T17:21:31.642Z)
Download STIX
Preview STIX
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a compromised website, a malicious MSIX installer is downloaded, which may carry additional payloads including Gozi. This malware, first detected in 2023, has been associated with various campaigns targeting organizations primarily in Western Europe and Japan, known for distributing the Ursnif (aka Gozi) banking Trojan. The threat group behind Gozi has utilized a variety of malware tools over the years, but it gained notoriety for its use of the Ursnif banking Trojan and a sophisticated second-stage downloader dubbed WikiLoader. WailingCrab, also referred to as WikiLoader, was first observed in December 2022 and has since been extensively used in email campaigns, often against Italian targets, to deliver the Gozi backdoor. This group has shown a propensity for evolving its tactics, as demonstrated by their abuse of CVE-2023-36025 in a campaign involving Remcos, a remote access Trojan. Gozi's capabilities extend beyond simple infection. In one instance, a PowerShell script delivered additional executables from a remote website, including an AES-encrypted Gozi banking trojan and the information stealer known as Vidar Stealer, which used Telegram for command and control (C2) information. The threat posed by Gozi and its associated malware families is significant, given their ability to exploit vulnerabilities, steal sensitive data, and disrupt operations across diverse geographies and sectors.
Description last updated: 2024-05-04T16:38:00.751Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Ursnif is a possible alias for Gozi. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for ra
6
IcedID is a possible alias for Gozi. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d
3
Pikabot is a possible alias for Gozi. Pikabot is a type of malware that serves as a trojan, providing initial access to infected computers. This enables the execution of ransomware deployments, remote takeovers, and data theft. It is part of a wider array of malicious software, including IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoa
2
Isfb is a possible alias for Gozi. ISFB, also known as Gozi or Ursnif, is a form of malware that has been a significant part of the cyberthreat landscape for several years. This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user'
2
Ta544 is a possible alias for Gozi. TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als
2
Wikiloader is a possible alias for Gozi. WikiLoader, also known as WailingCrab, is a downloader malware first discovered in 2022 by Proofpoint and made public in 2023. This sophisticated malicious software is typically sold in underground marketplaces by an initial access broker (IAB) and is often spread through traditional phishing techni
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Exploit
Ransomware
Windows
Botnet
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Gozi Isfb Malware is associated with Gozi. Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims. Unspecified
3
The Zeus Malware is associated with Gozi. Zeus is a notorious malware, short for malicious software, designed to exploit and damage computer systems. It is often spread through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, it can steal personal information, disrupt operationsUnspecified
2
The BlackEnergy Malware is associated with Gozi. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks aUnspecified
2
The WastedLocker Malware is associated with Gozi. WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utiliUnspecified
2
The Dridex Malware is associated with Gozi. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group taUnspecified
2
Source Document References
Information about the Gozi Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
a year ago
MITRE
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
DARKReading
a year ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
Unit42
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Unit42
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago