Gozi Isfb

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims. The Gozi ISFB variant exhibits persistence in victim networks using command and control (C&C) domains, bot version, Group ID, RSA key, and Serpent encryption keys. It was observed to be one of the most active banking Trojans circulated through emails and exploit kits. Notably, the source code for this variant was leaked between 2013 and 2015, which has contributed to its widespread use and continuous development. The threat actor behind Gozi ISFB offers fast flux on infected computers particularly in Asia, Africa, and the Middle East, making it challenging to block content due to frequently changing IP addresses. This operation has been linked to numerous ransomware variants such as Bad Rabbit, GandCrab, LockBit 2.0, and STOP/DJVU, and several other malware samples including BankBot, Dreambot, Godzilla, Nymaim, Pony Loader, Privateloader, and SmokeLoader. Interestingly, Gozi ISFB's code was found to be quite basic and similar to those used by other malware families like Netwalker, ZLoader, and Smokeloader. In a significant shift, INDRIK SPIDER, a cybercriminal group, started using a variant of Gozi ISFB instead of their Dridex banking trojan in their operations. This transition marked a new era for the group approximately six months after the Office of Foreign Assets Control (OFAC) sanctions and the unsealing of the indictment against Yakubets and Turashev. During this period, WastedLocker was deployed in the first BGH campaign, indicating an evolution in the cybercrime landscape.
What's your take? (Question 1 of 5)
8554cc1a-ad88-43ad-9ab9-0f3ebd5fa56c Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dreambot
3
Dreambot, also known as Ursnif and Gozi ISFB, is a malicious software (malware) designed to steal passwords and credentials, primarily targeting the banking and financial sectors. It has been described by threat researchers as "frighteningly lucrative," compared to the already profitable cybercrime
Ursnif
3
Ursnif, also known as Gozi or ISFB, is a type of malware that is primarily used for information stealing. It is typically distributed through suspicious downloads, emails, or websites and can infect systems often without the user's knowledge. Once inside, it can steal personal information, disrupt o
Smokeloader
2
SmokeLoader is a type of malware, or malicious software, that can infiltrate a system through suspicious downloads, emails, or websites. It serves as a backdoor trojan often used in conjunction with Phobos ransomware, enabling threat actors to steal personal information, disrupt operations, and pote
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Exploit
Trojan
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GoziUnspecified
3
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gozi Isfb Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
4 months ago
Why Bulletproof Hosting is Key to Cybercrime-as-a-Service
CERT Polska
a year ago
Ostap malware analysis (Backswap dropper)
MITRE
a year ago
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Fortinet
a year ago
Are Internet Macros Dead or Alive? | FortiGuard labs
MITRE
a year ago
INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware
CERT-EU
a year ago
Last of the Gozi 3 gets 36 months for malware ops scheme
MITRE
a year ago
Ursnif Variant Dreambot Adds Tor Functionality | Proofpoint
BankInfoSecurity
10 months ago
New Malware WikiLoader Targeting Italian Organizations