Gozi Isfb

Malware updated 7 months ago (2024-05-04T22:18:51.101Z)

Download STIX

Preview STIX

Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims. The Gozi ISFB variant exhibits persistence in victim networks using command and control (C&C) domains, bot version, Group ID, RSA key, and Serpent encryption keys. It was observed to be one of the most active banking Trojans circulated through emails and exploit kits. Notably, the source code for this variant was leaked between 2013 and 2015, which has contributed to its widespread use and continuous development. The threat actor behind Gozi ISFB offers fast flux on infected computers particularly in Asia, Africa, and the Middle East, making it challenging to block content due to frequently changing IP addresses. This operation has been linked to numerous ransomware variants such as Bad Rabbit, GandCrab, LockBit 2.0, and STOP/DJVU, and several other malware samples including BankBot, Dreambot, Godzilla, Nymaim, Pony Loader, Privateloader, and SmokeLoader. Interestingly, Gozi ISFB's code was found to be quite basic and similar to those used by other malware families like Netwalker, ZLoader, and Smokeloader. In a significant shift, INDRIK SPIDER, a cybercriminal group, started using a variant of Gozi ISFB instead of their Dridex banking trojan in their operations. This transition marked a new era for the group approximately six months after the Office of Foreign Assets Control (OFAC) sanctions and the unsealing of the indictment against Yakubets and Turashev. During this period, WastedLocker was deployed in the first BGH campaign, indicating an evolution in the cybercrime landscape.

Description last updated: 2024-05-04T21:45:11.081Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Dreambot is a possible alias for Gozi Isfb. Dreambot, also known as Ursnif and Gozi ISFB, is a malicious software (malware) designed to steal passwords and credentials, primarily targeting the banking and financial sectors. It has been described by threat researchers as "frighteningly lucrative," compared to the already profitable cybercrime	3
Ursnif is a possible alias for Gozi Isfb. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for ra	3
Smokeloader is a possible alias for Gozi Isfb. SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its funct	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Exploit

Trojan

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Gozi Malware is associated with Gozi Isfb. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c	Unspecified	3

Source Document References

Information about the Gozi Isfb Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	10 months ago	Why Bulletproof Hosting is Key to Cybercrime-as-a-Service
MITRE	2 years ago	WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
BankInfoSecurity	a year ago	New Malware WikiLoader Targeting Italian Organizations
CERT-EU	a year ago	Last of the Gozi 3 gets 36 months for malware ops scheme
MITRE	2 years ago	Ursnif Variant Dreambot Adds Tor Functionality \| Proofpoint
MITRE	2 years ago	INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware
CERT Polska	2 years ago	Ostap malware analysis (Backswap dropper)
Fortinet	2 years ago	Are Internet Macros Dead or Alive? \| FortiGuard labs