Analytics Story: Gozi Malware

Date: 2024-07-24 ID: a7332538-bb18-421e-874e-a20c9fcc34e7 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story covers the detection and analysis of Gozi malware, also known as Ursnif or ISFB. Gozi is one of the oldest and most persistent banking trojans, with a history dating back to 2000. It has undergone numerous evolutions and code forks, resulting in several active variants in recent years.

Why it matters

Gozi malware, first observed in 2006, has a complex lineage tracing back to the Ursnif/Snifula spyware from 2000. Over the years, it has evolved from a simple spyware to a sophisticated banking trojan, offered as Crimeware-as-a-Service (CaaS). Recent variants like Dreambot, IAP, RM2, RM3, and LDR4 demonstrate its ongoing development and threat. A typical Gozi infection may begin with a malicious ISO file delivery. Once executed, the malware conducts automatic discovery on the infected host and establishes persistence through registry run keys. In more advanced attacks, Gozi can serve as an initial access point for further malicious activities, including the deployment of additional payloads like Cobalt Strike. Post-infection activities may include credential theft, lateral movement, and the use of legitimate tools for persistence and remote access. Threat actors often leverage Gozi infections to conduct extensive reconnaissance, move laterally within networks, and potentially prepare for more severe attacks such as data exfiltration or ransomware deployment. Detection strategies should focus on identifying suspicious ISO files, unusual process executions (especially involving renamed system utilities), registry modifications, and network communications associated with Gozi's command and control infrastructure. Additionally, monitoring for post-exploitation activities such as credential dumping, lateral movement attempts, and the deployment of remote management tools can help in early detection and mitigation of Gozi-related threats.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Cobalt Strike Named Pipes Process Injection TTP
Detect mshta inline hta execution System Binary Proxy Execution, Mshta TTP
Detect Remote Access Software Usage File Remote Access Software Anomaly
Detect Remote Access Software Usage FileInfo Remote Access Software Anomaly
Detect Remote Access Software Usage Process Remote Access Software Anomaly
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
PowerShell Start-BitsTransfer BITS Jobs TTP
Process Creating LNK file in Suspicious Location Phishing, Spearphishing Link TTP
System Information Discovery Detection System Information Discovery TTP
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Anomaly
Windows Domain Admin Impersonation Indicator Steal or Forge Kerberos Tickets TTP
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4627 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1