-
Notifications
You must be signed in to change notification settings - Fork 395
/
Copy pathgozi_malware.yml
26 lines (23 loc) · 2.29 KB
/
gozi_malware.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
name: Gozi Malware
id: a7332538-bb18-421e-874e-a20c9fcc34e7
version: 1
date: '2024-07-24'
author: Michael Haag, Splunk
status: production
description: This analytic story covers the detection and analysis of Gozi malware, also known as Ursnif or ISFB. Gozi is one of the oldest and most persistent banking trojans, with a history dating back to 2000. It has undergone numerous evolutions and code forks, resulting in several active variants in recent years.
narrative: 'Gozi malware, first observed in 2006, has a complex lineage tracing back to the Ursnif/Snifula spyware from 2000. Over the years, it has evolved from a simple spyware to a sophisticated banking trojan, offered as Crimeware-as-a-Service (CaaS). Recent variants like Dreambot, IAP, RM2, RM3, and LDR4 demonstrate its ongoing development and threat.
A typical Gozi infection may begin with a malicious ISO file delivery. Once executed, the malware conducts automatic discovery on the infected host and establishes persistence through registry run keys. In more advanced attacks, Gozi can serve as an initial access point for further malicious activities, including the deployment of additional payloads like Cobalt Strike.
Post-infection activities may include credential theft, lateral movement, and the use of legitimate tools for persistence and remote access. Threat actors often leverage Gozi infections to conduct extensive reconnaissance, move laterally within networks, and potentially prepare for more severe attacks such as data exfiltration or ransomware deployment.
Detection strategies should focus on identifying suspicious ISO files, unusual process executions (especially involving renamed system utilities), registry modifications, and network communications associated with Gozi''s command and control infrastructure. Additionally, monitoring for post-exploitation activities such as credential dumping, lateral movement attempts, and the deployment of remote management tools can help in early detection and mitigation of Gozi-related threats.'
references:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
- https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection
cve: []