GitHub Repo

Analytics Story: Gozi Malware

Updated Date: 2026-05-13 ID: a7332538-bb18-421e-874e-a20c9fcc34e7 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story covers the detection and analysis of Gozi malware, also known as Ursnif or ISFB. Gozi is one of the oldest and most persistent banking trojans, with a history dating back to 2000. It has undergone numerous evolutions and code forks, resulting in several active variants in recent years.

Why it matters

Gozi malware, first observed in 2006, has a complex lineage tracing back to the Ursnif/Snifula spyware from 2000. Over the years, it has evolved from a simple spyware to a sophisticated banking trojan, offered as Crimeware-as-a-Service (CaaS). Recent variants like Dreambot, IAP, RM2, RM3, and LDR4 demonstrate its ongoing development and threat. A typical Gozi infection may begin with a malicious ISO file delivery. Once executed, the malware conducts automatic discovery on the infected host and establishes persistence through registry run keys. In more advanced attacks, Gozi can serve as an initial access point for further malicious activities, including the deployment of additional payloads like Cobalt Strike. Post-infection activities may include credential theft, lateral movement, and the use of legitimate tools for persistence and remote access. Threat actors often leverage Gozi infections to conduct extensive reconnaissance, move laterally within networks, and potentially prepare for more severe attacks such as data exfiltration or ransomware deployment. Detection strategies should focus on identifying suspicious ISO files, unusual process executions (especially involving renamed system utilities), registry modifications, and network communications associated with Gozi's command and control infrastructure. Additionally, monitoring for post-exploitation activities such as credential dumping, lateral movement attempts, and the deployment of remote management tools can help in early detection and mitigation of Gozi-related threats.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Remote Access Software Usage Registry Remote Access Tools Anomaly
Windows Suspicious C2 Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
Impacket Lateral Movement Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Windows Suspicious Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
Detect Remote Access Software Usage File Remote Access Tools Anomaly
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder Anomaly
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
Process Creating LNK file in Suspicious Location Spearphishing Link Anomaly
Detect mshta inline hta execution Mshta TTP
Detect Remote Access Software Usage Process Remote Access Tools Anomaly
BITSAdmin Download File Ingress Tool Transfer, BITS Jobs TTP
Windows Domain Admin Impersonation Indicator Steal or Forge Kerberos Tickets TTP
Windows RMM Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
System Information Discovery Detection System Information Discovery TTP
Detect Remote Access Software Usage FileInfo Remote Access Tools Anomaly
PowerShell Start-BitsTransfer BITS Jobs TTP
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment Hunting
Windows Cmdline Tool Execution From Non-Shell Process JavaScript Anomaly
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Windows Event Log Security 4627 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 2