urlscan.io logo urlscan.io
SecurityTrails logo

www.hawk-eye.io Open in urlscan Pro
92.205.89.230  Public Scan

Back to summary
URL: https://www.hawk-eye.io/2022/11/ursnif-gozi-malware-evolution-and-associated-ioc/
Submission: On May 08 via api from US — Scanned from FR

Form analysis 2 forms found in the DOM

GET https://www.hawk-eye.io/

<form role="search" method="get" class="search-form" id="searchform" action="https://www.hawk-eye.io/">
  <label>
    <span>Search for:</span>
    <input type="search" class="search-field" placeholder="To search type and hit enter" value="" name="s" title="Search for:">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

POST /2022/11/ursnif-gozi-malware-evolution-and-associated-ioc/#wpcf7-f4946-o1

<form action="/2022/11/ursnif-gozi-malware-evolution-and-associated-ioc/#wpcf7-f4946-o1" method="post" class="wpcf7-form init" aria-label="Contact form" novalidate="novalidate" data-status="init">
  <div style="display: none;">
    <input type="hidden" name="_wpcf7" value="4946">
    <input type="hidden" name="_wpcf7_version" value="5.7.5.1">
    <input type="hidden" name="_wpcf7_locale" value="en_US">
    <input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f4946-o1">
    <input type="hidden" name="_wpcf7_container_post" value="0">
    <input type="hidden" name="_wpcf7_posted_data_hash" value="">
    <input type="hidden" name="_wpcf7_recaptcha_response"
      value="03AL8dmw-21RSF4UmH3yi488pBbzpEKOvq9oRUSBigoRSsTNdutu57uMlmB5t6QBV6kLslVzqNq8NZpe83CPxsOE4SWrHnPJzjwuHjjE6MBbYFPvYp7qMRalqIn6uh4QyxT4Jgv0Qqm7wd6F0tlslDrP3wy6t8XZ9rgMxE_PsM_1wJXaJkdHYEV55P8qX4a112bEIJv0dJ3M3EBFbC2TKS9gWlNj3AyPRYLLt2cxOYYTRPqrr3m4H1mN0EEPfEaJMVLxwkEg1bRjrGRkt-fgcmbjqub6fV66P7m3Pbby2Gnzjop9AlNdlsS4zlZmhPHNQgudNI7HZR4g69f7q2KYmgFiVVh20r9sQeRMA_4q6bYDQtJbJfovRVAHeaaoZxiy-TyKyqmbFXc8PoC_tWcbVa684QavoGAvf9fC8B8MLxSQRXFuSwFENDH-gG8ePdFY_tXwbYe2YZQa6UQ6CP_db_7YLYZ4sNjjeZAv_E1Zv5R2GN0nuUYSCxu0Hh6yp9to5mWxMtrZ5_tQGwLBH6hV1AFgoYTigfMTzdJKHzlLfbWvlUddK4238tf7o">
  </div>
  <p><label> Your Name (required)<br>
      <span class="wpcf7-form-control-wrap" data-name="your-name"><input size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required" aria-required="true" aria-invalid="false" value="" type="text" name="your-name"></span> </label>
  </p>
  <p><label> Your Email (required)<br>
      <span class="wpcf7-form-control-wrap" data-name="your-email"><input size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email" aria-required="true" aria-invalid="false" value="" type="email"
          name="your-email"></span> </label>
  </p>
  <p><label> Subject<br>
      <span class="wpcf7-form-control-wrap" data-name="your-subject"><input size="40" class="wpcf7-form-control wpcf7-text" aria-invalid="false" value="" type="text" name="your-subject"></span> </label>
  </p>
  <p><label> Your Message<br>
      <span class="wpcf7-form-control-wrap" data-name="your-message"><textarea cols="40" rows="10" class="wpcf7-form-control wpcf7-textarea" aria-invalid="false" name="your-message"></textarea></span> </label>
  </p>
  <p><input class="wpcf7-form-control has-spinner wpcf7-submit" type="submit" value="Send"><span class="wpcf7-spinner"></span>
  </p>
  <p style="display: none !important;"><label>Δ<textarea name="_wpcf7_ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="_wpcf7_ak_js" value="1683580918191">
    <script>
      document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
    </script>
  </p>
  <div class="wpcf7-response-output" aria-hidden="true"></div>
</form>

Text Content

 * Home
 * SOC As A Service
   * Features
   * Capabilities
   * Process
 * Packages
   * Remote
   * Lite
   * Baseline
   * Advanced
   * Premium
   * ICS / OT
 * CSOC WIKI
 * Cyber Attack Kill Chain
 * Blog
 * Careers
 * Partner Program
 * Contact


 * Home
 * SOC As A Service
   * Features
   * Capabilities
   * Process
 * Packages
   * Remote
   * Lite
   * Baseline
   * Advanced
   * Premium
   * ICS / OT
 * CSOC WIKI
 * Cyber Attack Kill Chain
 * Blog
 * Careers
 * Partner Program
 * Contact


25 Nov 2022
HAWKEYE Cyber Security, Malware Protection, Managed SOC Services, Security
Operations Center
November 25, 2022 HAWKEYE


URSNIF/GOZI MALWARE EVOLUTION AND ASSOCIATED IOC



Gozi is a powerful piece of malware with a wide range of intricate
characteristics. It began as a basic banking Trojan, even more, basic in some
ways than the original Zeus due to the notable absence of web injection
features.





Background:

It should come as no surprise that URSNIF (also known as Gozi or Gozi/ISFB),
which is occasionally entangled with other malware families and variants, has a
long and eventful history given that it is one of the oldest banking malware
families still active today. Since the first major version debuted in 2016, its
source code has been leaked at least twice, leading to further variations,
several of which are still in use today (e.g., IAP). Numerous URSNIF variations
based on ISFB have been spotted in the wild recently, including Dreambot, IAP,
RM2, RM3, and LDR4. In this article, We shall step-by-step dissect the evolution
of Gozi and the associated IOCs.

Evolution of Gozi:

Gozi is a powerful piece of malware with a wide range of intricate
characteristics. It began as a basic banking Trojan, even more, basic in some
ways than the original Zeus due to the notable absence of web injection
features. Gozi went unnoticed for its first year of operation; it wasn’t until a
2007 SecureWorks expose, which included a breakdown of the malware’s internal
structure and the nature of the underlying financial operation, that this strain
of malware came to the public’s attention. Similar to Emotet, Gozi developed
into a multi-module, multi-purpose malicious platform, and as of 2020, many of
the contemporary variants of Kuzmin’s original work are still actively being
used in malicious campaigns.

2010 Leak:

After its 2007 public release, Gozi remained a typical malicious campaign for
three more years, with a single codebase limited to a small, exclusive group of
cyber criminals. Then, in 2010, the sources for this initial Gozi version—then
known as Gozi CRM—leaked. Gozi Prinimalka and Gozi “ISFB,” were the two new
versions developed by other actors using the leaked code. Even just these early
mutations made it difficult for the industry to monitor Gozi. ISFB was referred
to as “Gozi2” by one vendor, and “Ursnif,” or “Snifula,” by others. As a result
of a packer that was frequently used to conceal the virus’s binaries, a number
of other vendors began calling the malware “Rovnix.”

2015 Leak:

A few years later, the ISFB source code was leaked. Although sources disagree on
the exact timing, the majority of the evidence dates this second leak to 2015.
One of the resulting branches later merged with Nymaim and became the basic code
for GozNym, the hybrid malware strain created by the union of the two malware
families. Another branch eventually evolved into Dreambot, which modified the
check-in format of ISFB and supported C&C communication over the TOR network.
Dreambot mainly relied on the code from the original 2010 CRM breach.

Some actors believed that the market was ready for a new major version once
second-wave Gozi had been present for long enough. As a result, Goziv3 (RM3
loader), ISFB3, and Gozi2RM3 were created (IAP 2.0). Each of them made
modifications to the malware’s C&C communication protocol, control flow, and
obfuscation technique. These “third-wave Gozi” campaigns were particularly
distinguished by the addition of novelties including signed binaries, HTTPS
connectivity, and a tiered, two-stage client registration process.

Variants of Gozi/Urnsif:

 * Dreambot:
   It wasn’t long after the ISFB breach that this particular branch of the
   leaked ISFB sources was discovered. It continued to be actively developed for
   a long time and incorporated numerous new features. It was reliant on C2
   check-ins replicating GET requests for images, a tactic that rapidly lost
   usefulness once it was discovered, and it was outclassed by third-wave Gozi’s
   sophisticated stealth operation best practices. After a lengthy and
   successful run, Dreambot came to an end in March 2020.
   
   
   
   * -> IOCs:
     * 52cb2bd9724270b3efe575894112d0a866734856a3257ddcfb24308e42861f6a
     * f2556099982b2b1ebea7443c863b8b205b6683112624f46393454e430e69aed5
 * Goziat:
   This Gozi variant seems to have made its debut several years after the ISFB
   leak. Its C&C check-in peculiarity, which can be modified during the
   malware’s creation process, uses a different resource directory in place of
   “images” and makes it stand apart from other variants. Goziat abandons the
   Dreambot-popularized “image file extensions as encoded requests” technique
   since it does not try to pretend that its check-in is a valid request for an
   image.
   
   
   
   * -> IOCs:
     * cb4f92bf9fef3708e7aeba5d8994a0502952d06374c8a83ff2c1ee0b7e603d35
     * c486d8579308999b7d9f8cbb6de33b7a3976b9db5b98c06b7744adf5d5d11caf
 * Goziv2:
   The campaign infrastructure level of Gozi2RM3 and earlier-generation Gozi
   executes a thorough vetting procedure, which is the most noticeable
   distinction between the two. Although these variations in infrastructure are
   the most significant ones, there are some functional variations as well.
   
   
   
   * -> IOCs:
     * c2ee9cf24f0bddb07914503dbae35c4497d66f9ca01ea65108ef40ff13cbec02
     * 81734690442c224cf104fba0db8bacabdf3dc347bba3da3415a92de587df6d82
 * Goziv3:
   Since at least the summer of 2017, this variety has been spotted in wild.
   Most of the ISFB code is still present, but there are also many new
   components. This variant’s attackers are fairly skilled and make an effort to
   remain undetected while primarily targeting the USA, Australia, and Italy.
   
   
   
   * -> IOCs:
     * 41e52cec2091e4451beadad93c5f693d5a008cf56eaf160f9fa4d577b1d707f6
     * a353dfb1b5eb69808244356cf9a784181c53eea2cb3f254749fa19c307c30cfc
 * ISFB3:
   During the years 2018–2019, this version was only very briefly and precisely
   used against Japanese targets. It has been assumed that it is connected to
   threat actor TA544 because of a similarity in its distribution technique.
   
   
   
   * -> IOCs:
     * cacc1c3af8ad58b992c707bdf36ec1bd5f039dd80780ad2978cb142ccfe714d6
     * 8d7ffebb0774e0dfe9d85f175cd5e1800dfd757bb5fbc4565a8f8a173e739ea5
 * LDR4:
   This URSNIF malware variant was originally discovered in June 2022. As
   opposed to earlier versions of URSNIF, this new variant, called LDR4, is a
   generic backdoor (similar to the short-lived SAIGON variant), which may have
   been created specifically to support activities like ransomware and data
   theft extortion.
   
   
   
   * -> IOCs:
     * 360417f75090c962adb8021dbb478f67
     * 58169007c2e7a0d022bc383f9b9476fe


Gozi, IoC, Malware, Managed SOC Dubai, Managed SOC UAE, Ursnif
 * Search for:


 * RECENT POSTS
   
   * Rogue NuGet Packages – The Rise of Supply Chain Risks
   * Ragnar Locker Ransomware
   * Threat Hunting Unauthorized RDP Post-Exploitation
   * How SBOM Plays a Key Role in CSOC
   * Rise in ICS Vulnerabilities


 * ARCHIVES
   
   * May 2023
   * April 2023
   * March 2023
   * February 2023
   * January 2023
   * December 2022
   * November 2022
   * October 2022
   * September 2022
   * August 2022
   * July 2022
   * June 2022
   * April 2022
   * March 2022
   * February 2022
   * January 2022
   * December 2021
   * November 2021
   * October 2021
   * September 2021
   * August 2021
   * March 2021
   * February 2021
   * January 2021
   * December 2020
   * November 2020
   * August 2020
   * June 2020
   * May 2020
   * April 2020
   * September 2019
   * June 2019
   * May 2019


 * CATEGORIES
   
   * Advanced Persistent Threat
   * Alert Advisory
   * Azure Sentinel
   * Breach Detection
   * Compromise Assessment
   * Cyber Security
   * Cyber Threat Intelligence
   * Cyber Threat Management
   * DARKINT
   * EDR
   * Email Security
   * Incident Response
   * Machine Learning
   * Malware Protection
   * Managed Security Services
   * Managed SOC Services
   * Middle East
   * News
   * OSINT
   * Ransomware Protection
   * Reconnaissance Tools
   * Security Operations Center
   * Security Orchestration
   * SIEM
   * SOAR
   * Threat Hunting
   * Threat Intelligence
   * Threat Modeling
   * UEBA
   * Vulnerability Assessment
   * XDR


 * TAGS
   
   Advanced Persistent Threat APT Azure Security Azure Sentinel Coronavirus
   COVID-19 CVE Cyber Attacks Cyber Security Cyber Threat Intelligence Emotet
   Endpoint Security ICS Incident Response LSASS Machine Learning Malware
   Managed SOC Managed SOC Abu Dhabi Managed SOC Bahrain Managed SOC Dubai
   Managed SOC Kuwait Managed SOC London Managed SOC UAE Microsoft OSINT
   Ransomware RCE RDP Security Operations Security Operations Center Security
   Orchestration SIEM SOAR SOC Threat Detection and Response Threat Hunting
   Threat Intelligence Threat Modeling Typosquatting Vulnerabilities
   Vulnerability Windows Event Forwarding XDR Zero Day






CONTACT US

We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.




VISIT HAWKEYE CYBER SECURITY CENTER

Address: Office 4, Oasis Center, Sheikh Zayed Road, Dubai, United Arab Emirates

Phone: +971 4 338 3365

Email: hawkeye@dts-solution.com

 


LET'S GET SOCIAL




CONTACT US



Your Name (required)


Your Email (required)


Subject


Your Message




Δ







WE CYBER SECURITY


HAWKEYE - SOC As A Service powered by DTS Solution HAWKEYE POWERED BY United
Themes™