Gozi Isfb

Malware updated 4 months ago (2024-05-04T22:18:51.101Z)

Download STIX

Preview STIX

Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims. The Gozi ISFB variant exhibits persistence in victim networks using command and control (C&C) domains, bot version, Group ID, RSA key, and Serpent encryption keys. It was observed to be one of the most active banking Trojans circulated through emails and exploit kits. Notably, the source code for this variant was leaked between 2013 and 2015, which has contributed to its widespread use and continuous development. The threat actor behind Gozi ISFB offers fast flux on infected computers particularly in Asia, Africa, and the Middle East, making it challenging to block content due to frequently changing IP addresses. This operation has been linked to numerous ransomware variants such as Bad Rabbit, GandCrab, LockBit 2.0, and STOP/DJVU, and several other malware samples including BankBot, Dreambot, Godzilla, Nymaim, Pony Loader, Privateloader, and SmokeLoader. Interestingly, Gozi ISFB's code was found to be quite basic and similar to those used by other malware families like Netwalker, ZLoader, and Smokeloader. In a significant shift, INDRIK SPIDER, a cybercriminal group, started using a variant of Gozi ISFB instead of their Dridex banking trojan in their operations. This transition marked a new era for the group approximately six months after the Office of Foreign Assets Control (OFAC) sanctions and the unsealing of the indictment against Yakubets and Turashev. During this period, WastedLocker was deployed in the first BGH campaign, indicating an evolution in the cybercrime landscape.

Description last updated: 2024-05-04T21:45:11.081Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Dreambot	3	Dreambot, also known as Ursnif and Gozi ISFB, is a malicious software (malware) designed to steal passwords and credentials, primarily targeting the banking and financial sectors. It has been described by threat researchers as "frighteningly lucrative," compared to the already profitable cybercrime
Ursnif	3	Ursnif, also known as Gozi or ISFB, is a type of malware that poses significant threats to computer systems and user data. It's often distributed through suspicious downloads, emails, or websites, infiltrating systems without the user's knowledge. Once installed, Ursnif can steal personal informatio
Smokeloader	2	Smokeloader is a malicious software (malware) that has been utilized by threat actors, specifically Phobos actors, to embed ransomware as a hidden payload. This malware, acting as a loader for other malware, infects systems through suspicious downloads, emails, or websites, often without the victim'

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Exploit

Trojan

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Gozi	Unspecified	3	Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c

Source Document References

Information about the Gozi Isfb Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	7 months ago	Why Bulletproof Hosting is Key to Cybercrime-as-a-Service
MITRE	2 years ago	WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
BankInfoSecurity	a year ago	New Malware WikiLoader Targeting Italian Organizations
CERT-EU	a year ago	Last of the Gozi 3 gets 36 months for malware ops scheme
MITRE	2 years ago	Ursnif Variant Dreambot Adds Tor Functionality \| Proofpoint
MITRE	2 years ago	INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware
CERT Polska	2 years ago	Ostap malware analysis (Backswap dropper)
Fortinet	a year ago	Are Internet Macros Dead or Alive? \| FortiGuard labs