Gozi

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a compromised website, a malicious MSIX installer is downloaded, which may carry additional payloads including Gozi. This malware, first detected in 2023, has been associated with various campaigns targeting organizations primarily in Western Europe and Japan, known for distributing the Ursnif (aka Gozi) banking Trojan. The threat group behind Gozi has utilized a variety of malware tools over the years, but it gained notoriety for its use of the Ursnif banking Trojan and a sophisticated second-stage downloader dubbed WikiLoader. WailingCrab, also referred to as WikiLoader, was first observed in December 2022 and has since been extensively used in email campaigns, often against Italian targets, to deliver the Gozi backdoor. This group has shown a propensity for evolving its tactics, as demonstrated by their abuse of CVE-2023-36025 in a campaign involving Remcos, a remote access Trojan. Gozi's capabilities extend beyond simple infection. In one instance, a PowerShell script delivered additional executables from a remote website, including an AES-encrypted Gozi banking trojan and the information stealer known as Vidar Stealer, which used Telegram for command and control (C2) information. The threat posed by Gozi and its associated malware families is significant, given their ability to exploit vulnerabilities, steal sensitive data, and disrupt operations across diverse geographies and sectors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Ursnif
6
Ursnif, also known as Gozi or ISFB, is a type of malware that poses significant threats to computer systems and user data. It's often distributed through suspicious downloads, emails, or websites, infiltrating systems without the user's knowledge. Once installed, Ursnif can steal personal informatio
IcedID
3
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Wikiloader
2
WikiLoader is a sophisticated malware, first documented by Proofpoint in August 2023, primarily targeting organizations through email campaigns. The malware often exploits themes like overdue deliveries or shipping invoices to trick users into interacting with infected content. A notable campaign wa
Ta544
2
TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als
Isfb
2
ISFB, also known as Gozi or Ursnif, is a form of malware that has been a significant part of the cyberthreat landscape for several years. This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user'
Pikabot
2
PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom d
QakBot
1
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
Cobaltstrike
1
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
Snifula
1
None
Nokoyawa
1
Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
Papras
1
Papras, also known as Gozi or Gozi CRM, is a malicious software (malware) that first emerged in 2006. This harmful program is designed to exploit and damage computers or devices, often infiltrating systems through suspicious downloads, emails, or websites without the user's knowledge. Its primary fu
Blackbasta
1
BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
Bazarloader
1
BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
Wailingcrab
1
The WailingCrab malware, first observed in December 2022, has been used extensively in email campaigns to deliver the Gozi backdoor, primarily targeting Italian entities. The malware's attack chains start with emails containing PDF attachments with URLs that download a JavaScript file when clicked.
SVCReady
1
SVCReady is a relatively new malware family first observed in malicious spam campaigns at the end of April 2022. This harmful software, designed to exploit and damage computers or devices, was initially unknown but has since been identified through IDS rules published by Proofpoint. The malware infe
Vidar Stealer
1
Vidar Stealer is a prolific infostealer malware that operates on a malware-as-a-service model, sold through ads and forums on the dark web and Telegram groups. It's designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data for ransom. Th
Redline Stealer
1
RedLine Stealer is a type of malware that has been causing significant disruption in the digital landscape. This malicious software infiltrates computer systems, often without the user's knowledge, via suspicious downloads, emails, or websites, and then proceeds to steal personal information, disrup
Smoke Loader
1
Smoke Loader is a prominent type of malware identified by the SCPC SSSCIP, used in recent attacks primarily targeting Ukrainian organizations. This malicious software is often delivered via IPFS links by malware families such as Smoke Loader, XLoader, XMRig, and OriginLogger, disrupting operations a
Lumma Stealer
1
Lumma Stealer is a malicious software (malware) that infiltrates systems primarily to steal personal information, disrupt operations, and exploit vulnerabilities. According to the ESET Threat Report H2 2023, Lumma Stealer gained significant traction in the second half of 2023, with its capabilities
Netsupport Manager
1
NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once
Sectop Rat
1
None
Dreambot
1
Dreambot, also known as Ursnif and Gozi ISFB, is a malicious software (malware) designed to steal passwords and credentials, primarily targeting the banking and financial sectors. It has been described by threat researchers as "frighteningly lucrative," compared to the already profitable cybercrime
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Exploit
Windows
Ransomware
Botnet
Infostealer
Crypter
Rat
Banking
Financial
Phishing
Malvertising
Github
Telegram
Remcos
Downloader
Backdoor
Proxy
Fraud
Cybercrime
Payload
Spam
Encryption
Bot
Spyware
Italy
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Gozi IsfbUnspecified
3
Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims.
BlackEnergyUnspecified
2
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
WastedLockerUnspecified
2
WastedLocker is a type of malware developed by the Evil Corp Group, known for its malicious activities. This malware variant was first identified in 2020 and is part of an evolution of ransomware that began with Dridex, followed by DoppelPaymer developed in 2019, and then WastedLocker. The malware i
DridexUnspecified
2
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
ZeusUnspecified
2
Zeus is a type of malware, short for malicious software, designed to exploit and damage computers or devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Zeus can steal personal information, disrupt operations, or even hold da
BumblebeeUnspecified
1
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
SmokeloaderUnspecified
1
SmokeLoader is a malicious software (malware) that has been extensively used by threat actors, particularly those associated with the Phobos ransomware. It functions as a backdoor trojan, often arriving on victims' systems via spoofed email attachments embedded with hidden payloads. Once downloaded,
EmotetUnspecified
1
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
NetwalkerUnspecified
1
NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that Ne
ZloaderUnspecified
1
ZLoader is a type of malware, malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the capacity to steal personal information, disrupt operations, or even ho
DiceloaderUnspecified
1
Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in
IfsbUnspecified
1
None
Vawtrak/neverquestUnspecified
1
Vawtrak/Neverquest is a type of malware, malicious software designed to exploit and harm your computer or device. Malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once installed, it can steal personal information, disrupt operation
Royal RansomwareUnspecified
1
Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
PushdoUnspecified
1
Pushdo is a type of malware that has been associated with various cyber attacks and malicious activities. First recognized in 2013, Pushdo was identified as the most widespread "bad bot," infecting over 4.2 million IPs including those of private companies, government agencies, and military networks.
CutwailUnspecified
1
Cutwail is a notorious malware that has been associated with various botnets, including Necurs, Andromeda, and Dridex, at different stages of their lifecycle. It has been implicated in the distribution of malicious payloads such as IcedID, Gozi, and Pushdo, often using crypters like Hexa, Forest, Sn
CryptoneUnspecified
1
CryptOne is a Delphi-based crypter malware, dating back to 2015, that has been frequently used by various malicious software families such as Gozi, Dridex, NetWalker, and WastedLocker. This crypter is reportedly offered as a Crypter-As-A-Service and it's capable of detecting and disabling a list of
ForestUnspecified
1
Forest is a potent malware that leverages the Golden Ticket, an authentication ticket (TGT), to gain domain-wide access. It exploits the TGT to acquire service tickets (TGS) used for accessing resources across the entire domain and the Active Directory (AD) forest by leveraging SID History. The malw
TrickBotUnspecified
1
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
NetsupportUnspecified
1
NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or
ValakUnspecified
1
Valak is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It was distributed by threat actor TA551, which has historically pushed various families of information-stealing malware such as Ursnif and IcedID. Valak, in particular, is known as a malware down
BitPaymerUnspecified
1
BitPaymer is a type of malware that operates as ransomware, encrypting files and demanding payment for their release. It was operated by the GOLD DRAKE threat group and was later reworked and renamed DoppelPaymer by the GOLD HERON threat group. As part of the Ransomware as a Service (RaaS) model tha
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TA551Unspecified
1
TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma
ITG23Unspecified
1
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Hive0106Unspecified
1
Hive0106, also known as TA551, is a notable threat actor recognized for its association with ITG23, another prominent entity in the cybercrime landscape. This partnership has been observed since mid-2021 by X-Force, a cybersecurity firm. Hive0106's primary role is as a distribution affiliate, delive
Indrik SpiderUnspecified
1
Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw Ind
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-36025Unspecified
1
CVE-2023-36025 is a significant vulnerability, representing a flaw in the design or implementation of Microsoft's Windows SmartScreen security feature. This vulnerability was discovered as one of three zero-days affecting Microsoft Windows and Server. The exploit begins with the execution of a malic
Ursnif/snifulaUnspecified
1
None
Hive0106 Ta551Unspecified
1
None
Source Document References
Information about the Gozi Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
5 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #computerhacker - Am I Hacker Proof
CERT-EU
7 months ago
Microsoft Disables App Installer After Feature is Abused for Malware
MITRE
7 months ago
DEV-0569 finds new ways to deliver Royal ransomware, various payloads | Microsoft Security Blog
DARKReading
8 months ago
Exploit for Critical Windows Defender Bypass Goes Public
CERT-EU
8 months ago
Security Week In Review: November 24, 2023
CERT-EU
8 months ago
Alert: New WailingCrab Malware Loader Spreading via Shipping-Themed Emails
DARKReading
8 months ago
Proof of Concept Exploit Publicly Available for Critical Windows SmartScreen Flaw
DARKReading
8 months ago
Exploit for Critical Windows Defender Bypass Goes Public
SecurityIntelligence.com
8 months ago
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
CERT-EU
10 months ago
Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks
Unit42
a year ago
RedLine Stealer: Answers to Unit Wireshark Quiz
CERT-EU
a year ago
Cost of a data breach 2023: Financial industry impacts
CERT-EU
a year ago
Remote access detection in 2023: Unmasking invisible fraud
Unit42
a year ago
Crossing the Line: Unit 42 Wireshark Quiz for RedLine Stealer
CERT-EU
a year ago
Gozi strikes again, targeting banks, cryptocurrency and more
CERT-EU
a year ago
How the US Government is Fighting Back Against Ransomware | #ransomware | #cybercrime – National Cyber Security Consulting
CERT-EU
a year ago
Cybercriminals Renting WikiLoader to Target Italian Organizations with Banking Trojan | IT Security News
BankInfoSecurity
a year ago
New Malware WikiLoader Targeting Italian Organizations
CERT-EU
a year ago
Habemus Data Act, the game of musical chairs for DG COMP