Threat Research

Gozi strikes again, targeting banks, cryptocurrency and more

Securonix

Gozi malware campaigns are expanding beyond banks to cryptocurrency-related targets, leveraging web injects to steal credentials and financial data. The article also highlights Gozi’s historical ties to other malware families, its evolution, and practical defense recommendations. #Gozi #PowerHost

Keypoints

  • Gozi campaigns are expanding to Asia and targeting cryptocurrency-related entities in addition to banks.
  • Gozi uses web injects to modify legitimate websites, tricking users into entering credentials and financial data.
  • The Gozi ecosystem has historical ties to Ursnif/Snifula via shared code, with a 2010 source-code leak influencing new strains.
  • Mihai Ionut Paunescu was sentenced in 2023 for running a bulletproof hosting service (PowerHost[.]ro) that aided Gozi and other malware.
  • Targets include cryptocurrency exchanges, wallets, and blockchain service providers, aiming to steal login credentials and 2FA codes.
  • Defensive guidance includes phishing awareness, strong unique passwords, vigilance online, and mentions IBM Trusteer Pinpoint Detect as a protective tool.

MITRE Techniques

  • [T1566.001] Phishing – Brief description of how it was used. ‘phishing emails that may attempt to trick you into downloading malware.’
  • [T1056.003] Credential from Web Forms – ‘These malicious code injections are designed to modify the content of legitimate websites, making them appear genuine to unsuspecting users. By mimicking legitimate login pages or transaction forms, Gozi tricks users into entering their credentials and unknowingly providing them directly to the attackers.’
  • [T1583] Acquire Infrastructure – ‘This service aided cybercriminals in distributing various malware strains, including Gozi Virus, Zeus Trojan, SpyEye Trojan and BlackEnergy malware.’
  • [T1071.001] Web Protocols – ‘Gozi uses command-and-control infrastructure… hxxps://gestorbancasrl.com’

Indicators of Compromise

  • [Domain] C2 domains – gestorbancasrl.com, gestorbancosrl.com, and 4 more domains
  • [MD5] MD5 – 471d596dad7ca027a44b21f3c3a2a0d9

Read more: https://securityintelligence.com/posts/gozi-strikes-again-targeting-banks-cryptocurrency-and-more/