Gozi Isfb

Malware updated 6 months ago (2024-05-04T22:18:51.101Z)
Download STIX
Preview STIX
Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims. The Gozi ISFB variant exhibits persistence in victim networks using command and control (C&C) domains, bot version, Group ID, RSA key, and Serpent encryption keys. It was observed to be one of the most active banking Trojans circulated through emails and exploit kits. Notably, the source code for this variant was leaked between 2013 and 2015, which has contributed to its widespread use and continuous development. The threat actor behind Gozi ISFB offers fast flux on infected computers particularly in Asia, Africa, and the Middle East, making it challenging to block content due to frequently changing IP addresses. This operation has been linked to numerous ransomware variants such as Bad Rabbit, GandCrab, LockBit 2.0, and STOP/DJVU, and several other malware samples including BankBot, Dreambot, Godzilla, Nymaim, Pony Loader, Privateloader, and SmokeLoader. Interestingly, Gozi ISFB's code was found to be quite basic and similar to those used by other malware families like Netwalker, ZLoader, and Smokeloader. In a significant shift, INDRIK SPIDER, a cybercriminal group, started using a variant of Gozi ISFB instead of their Dridex banking trojan in their operations. This transition marked a new era for the group approximately six months after the Office of Foreign Assets Control (OFAC) sanctions and the unsealing of the indictment against Yakubets and Turashev. During this period, WastedLocker was deployed in the first BGH campaign, indicating an evolution in the cybercrime landscape.
Description last updated: 2024-05-04T21:45:11.081Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Dreambot is a possible alias for Gozi Isfb. Dreambot, also known as Ursnif and Gozi ISFB, is a malicious software (malware) designed to steal passwords and credentials, primarily targeting the banking and financial sectors. It has been described by threat researchers as "frighteningly lucrative," compared to the already profitable cybercrime
3
Ursnif is a possible alias for Gozi Isfb. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for ra
3
Smokeloader is a possible alias for Gozi Isfb. SmokeLoader is a malicious software (malware) used by threat actors to infect systems and exfiltrate data. It operates in conjunction with other open-source tools like Cobalt Strike and Bloodhound, but most notably with Phobos ransomware. Threat actors often use SmokeLoader as a hidden payload in sp
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Exploit
Trojan
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Gozi Malware is associated with Gozi Isfb. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a cUnspecified
3
Source Document References
Information about the Gozi Isfb Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more