Gozi

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a compromised website, a malicious MSIX installer is downloaded, which may carry additional payloads including Gozi. This malware, first detected in 2023, has been associated with various campaigns targeting organizations primarily in Western Europe and Japan, known for distributing the Ursnif (aka Gozi) banking Trojan. The threat group behind Gozi has utilized a variety of malware tools over the years, but it gained notoriety for its use of the Ursnif banking Trojan and a sophisticated second-stage downloader dubbed WikiLoader. WailingCrab, also referred to as WikiLoader, was first observed in December 2022 and has since been extensively used in email campaigns, often against Italian targets, to deliver the Gozi backdoor. This group has shown a propensity for evolving its tactics, as demonstrated by their abuse of CVE-2023-36025 in a campaign involving Remcos, a remote access Trojan. Gozi's capabilities extend beyond simple infection. In one instance, a PowerShell script delivered additional executables from a remote website, including an AES-encrypted Gozi banking trojan and the information stealer known as Vidar Stealer, which used Telegram for command and control (C2) information. The threat posed by Gozi and its associated malware families is significant, given their ability to exploit vulnerabilities, steal sensitive data, and disrupt operations across diverse geographies and sectors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Ursnif
6
Ursnif, also known as Gozi or ISFB, is a type of malware that is primarily used for information stealing. It is typically distributed through suspicious downloads, emails, or websites and can infect systems often without the user's knowledge. Once inside, it can steal personal information, disrupt o
IcedID
3
IcedID is a type of malware that was first discovered in 2017 and has been described as a banking Trojan and remote access Trojan. It can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can steal personal information, disrupt
Pikabot
2
Pikabot, a harmful malware family, emerged in 2023 as a significant cyber threat. It is primarily associated with ransomware distribution, crypto mining, data theft, and remote control of infected devices. This malicious software has been distributed by TA577, a well-known threat group that had prev
Isfb
2
ISFB, also known as Gozi or Ursnif, is a form of malware that has been a significant part of the cyberthreat landscape for several years. This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user'
Ta544
2
TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als
Wikiloader
2
WikiLoader is a novel and sophisticated malware that has been particularly active in targeting Italian organizations. It was first documented by Proofpoint in August 2023, with its primary mode of distribution being through phishing campaigns that exploit themes like overdue deliveries or shipping i
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Exploit
Ransomware
Windows
Botnet
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Gozi IsfbUnspecified
3
Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims.
ZeusUnspecified
2
Zeus, also known as ZeuS, is a notorious Trojan Horse malware created by Evgeniy Bogachev. This malicious software, designed to exploit and damage computer systems, gained infamy for its wide-ranging data theft capabilities and the complexity of its attack flow. It was often disseminated through sus
BlackEnergyUnspecified
2
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
WastedLockerUnspecified
2
WastedLocker is a type of malware developed by the Evil Corp Group, known for its malicious activities. This malware variant was first identified in 2020 and is part of an evolution of ransomware that began with Dridex, followed by DoppelPaymer developed in 2019, and then WastedLocker. The malware i
DridexUnspecified
2
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gozi Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
a year ago
Finding Gozi: Answers to Unit 42 Wireshark Quiz, March 2023
Unit42
a year ago
Finding Gozi: Unit 42 Wireshark Quiz, March 2023
CERT-EU
9 months ago
Gozi strikes again, targeting banks, cryptocurrency and more
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
CERT-EU
a year ago
Last of the Gozi 3 gets 36 months for malware ops scheme
CERT-EU
a year ago
Le diffuseur de Gozi / Zeus / SpyEte condamné à trois ans de prison aux États-Unis – Data Security Breach
Naked Security
a year ago
Gozi banking malware “IT chief” finally jailed after more than 10 years
MITRE
a year ago
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
SecurityIntelligence.com
6 months ago
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
CERT-EU
9 months ago
Remote access detection in 2023: Unmasking invisible fraud
CERT-EU
a year ago
Gozi malware hacker sentenced to three years in US prison
CERT-EU
9 months ago
Cost of a data breach 2023: Financial industry impacts
MITRE
5 months ago
DEV-0569 finds new ways to deliver Royal ransomware, various payloads | Microsoft Security Blog
CERT-EU
a year ago
安全事件周报 2023-06-12 第24周 - 360CERT
MITRE
a year ago
Ursnif Variant Dreambot Adds Tor Functionality | Proofpoint
Unit42
a year ago
Cold as Ice: Unit 42 Wireshark Quiz for IcedID
CERT-EU
a year ago
How the US Government is Fighting Back Against Ransomware | #ransomware | #cybercrime – National Cyber Security Consulting
Unit42
9 months ago
Crossing the Line: Unit 42 Wireshark Quiz for RedLine Stealer
Naked Security
a year ago
S3 Ep139: Are password rules like running through rain?
CERT-EU
a year ago
Romanian Operator of Bulletproof Hosting Service Sentenced to Prison in US