From c35925b3a930b15b73c9277cd110f470c4221aa3 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Wed, 24 Jul 2024 14:36:47 -0600 Subject: [PATCH 1/4] Haag's Hunt for Gozi Gremlins --- .../endpoint/bitsadmin_download_file.yml | 1 + ...cmdline_tool_not_executed_in_cmd_shell.yml | 1 + .../endpoint/cobalt_strike_named_pipes.yml | 1 + .../detect_mshta_inline_hta_execution.yml | 1 + ...tect_remote_access_software_usage_file.yml | 1 + ..._remote_access_software_usage_fileinfo.yml | 1 + ...t_remote_access_software_usage_process.yml | 1 + ...dcomputer_with_powershell_script_block.yml | 1 + ...ateral_movement_commandline_parameters.yml | 1 + ...ovement_wmiexec_commandline_parameters.yml | 1 + .../powershell_start_bitstransfer.yml | 1 + ...eating_lnk_file_in_suspicious_location.yml | 1 + ...system_information_discovery_detection.yml | 1 + ..._autostart_execution_in_startup_folder.yml | 1 + ...s_domain_admin_impersonation_indicator.yml | 1 + .../windows_iso_lnk_file_creation.yml | 1 + ...dows_phishing_recent_iso_exec_registry.yml | 1 + ...ateral_movement_commandline_parameters.yml | 1 + .../windows_iso_lnk_file_creation.yml | 1 + ...dows_phishing_recent_iso_exec_registry.yml | 1 + stories/gozi_malware.yml | 22 +++++++++++++++++++ 21 files changed, 42 insertions(+) create mode 100644 stories/gozi_malware.yml diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index 384bdf2eb3..9f6562b176 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -45,6 +45,7 @@ tags: - DarkSide Ransomware - Living Off The Land - Flax Typhoon + - Gozi Malware asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml index de29f57aea..59849c0978 100644 --- a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml +++ b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml @@ -52,6 +52,7 @@ tags: - Qakbot - CISA AA22-277A - CISA AA23-347A + - Gozi Malware asset_type: Endpoint confidence: 80 impact: 70 diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index 7c5eab3db4..5655c50b24 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -43,6 +43,7 @@ tags: - BlackByte Ransomware - Graceful Wipe Out Attack - LockBit Ransomware + - Gozi Malware asset_type: Endpoint confidence: 90 impact: 80 diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index af7f3f9e8b..39f8578e47 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -41,6 +41,7 @@ tags: analytic_story: - Suspicious MSHTA Activity - Living Off The Land + - Gozi Malware asset_type: Endpoint confidence: 100 impact: 90 diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index bed6c42094..e149f4aa8d 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -40,6 +40,7 @@ tags: - Insider Threat - Command And Control - Ransomware + - Gozi Malware asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index 6bda13e076..dc22a4c9dc 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -33,6 +33,7 @@ tags: - Insider Threat - Command And Control - Ransomware + - Gozi Malware asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index af552ade69..60d22c6c2b 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -43,6 +43,7 @@ tags: - Insider Threat - Command And Control - Ransomware + - Gozi Malware asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/getadcomputer_with_powershell_script_block.yml b/detections/endpoint/getadcomputer_with_powershell_script_block.yml index 8170e16f90..42af01c411 100644 --- a/detections/endpoint/getadcomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getadcomputer_with_powershell_script_block.yml @@ -30,6 +30,7 @@ tags: analytic_story: - Active Directory Discovery - CISA AA22-320A + - Gozi Malware asset_type: Endpoint confidence: 50 impact: 30 diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml index 4f1f6c8e85..f57ce775d3 100644 --- a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml @@ -54,6 +54,7 @@ tags: - Graceful Wipe Out Attack - Industroyer2 - Data Destruction + - Gozi Malware asset_type: Endpoint confidence: 70 impact: 90 diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml index 974ea619a2..26e729219d 100644 --- a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml @@ -54,6 +54,7 @@ tags: - Graceful Wipe Out Attack - Industroyer2 - Data Destruction + - Gozi Malware asset_type: Endpoint atomic_guid: [] confidence: 70 diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml index f919c87e47..e40fc74697 100644 --- a/detections/endpoint/powershell_start_bitstransfer.yml +++ b/detections/endpoint/powershell_start_bitstransfer.yml @@ -39,6 +39,7 @@ references: tags: analytic_story: - BITS Jobs + - Gozi Malware asset_type: Endpoint confidence: 80 impact: 70 diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index 2703fd9a24..01aacaf6e4 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -42,6 +42,7 @@ tags: - Qakbot - IcedID - Amadey + - Gozi Malware asset_type: Endpoint confidence: 90 impact: 70 diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 4e5fa399e2..c83b48159d 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -38,6 +38,7 @@ references: tags: analytic_story: - Windows Discovery Techniques + - Gozi Malware asset_type: Windows confidence: 50 impact: 30 diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index c7b1e4b4d2..8a4c0901bd 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -33,6 +33,7 @@ tags: - Chaos Ransomware - NjRAT - RedLine Stealer + - Gozi Malware asset_type: Endpoint confidence: 90 impact: 90 diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index 5d572bb1d3..3f2f25103c 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -25,6 +25,7 @@ tags: analytic_story: - Active Directory Kerberos Attacks - Active Directory Privilege Escalation + - Gozi Malware asset_type: Endpoint confidence: 100 impact: 80 diff --git a/detections/endpoint/windows_iso_lnk_file_creation.yml b/detections/endpoint/windows_iso_lnk_file_creation.yml index 182d927f4a..c0c866145d 100644 --- a/detections/endpoint/windows_iso_lnk_file_creation.yml +++ b/detections/endpoint/windows_iso_lnk_file_creation.yml @@ -44,6 +44,7 @@ tags: - Remcos - Warzone RAT - Amadey + - Gozi Malware asset_type: Endpoint confidence: 50 impact: 80 diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml index 5b665a92f8..2f3b459bec 100644 --- a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml +++ b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml @@ -44,6 +44,7 @@ tags: - Azorult - Remcos - Warzone RAT + - Gozi Malware asset_type: Endpoint confidence: 80 impact: 50 diff --git a/dev/endpoint/impacket_lateral_movement_commandline_parameters.yml b/dev/endpoint/impacket_lateral_movement_commandline_parameters.yml index 2f95e9e9e1..27778d3fa4 100644 --- a/dev/endpoint/impacket_lateral_movement_commandline_parameters.yml +++ b/dev/endpoint/impacket_lateral_movement_commandline_parameters.yml @@ -45,6 +45,7 @@ tags: - CISA AA22-277A - Prestige Ransomware - Volt Typhoon + - Gozi Malware asset_type: Endpoint confidence: 70 impact: 90 diff --git a/dev/endpoint/windows_iso_lnk_file_creation.yml b/dev/endpoint/windows_iso_lnk_file_creation.yml index bb72102d92..6a74954cd1 100644 --- a/dev/endpoint/windows_iso_lnk_file_creation.yml +++ b/dev/endpoint/windows_iso_lnk_file_creation.yml @@ -43,6 +43,7 @@ tags: - IcedID - Azorult - Remcos + - Gozi Malware asset_type: Endpoint confidence: 50 impact: 80 diff --git a/dev/endpoint/windows_phishing_recent_iso_exec_registry.yml b/dev/endpoint/windows_phishing_recent_iso_exec_registry.yml index 40887ce100..ce89c6d9f4 100644 --- a/dev/endpoint/windows_phishing_recent_iso_exec_registry.yml +++ b/dev/endpoint/windows_phishing_recent_iso_exec_registry.yml @@ -40,6 +40,7 @@ tags: - IcedID - Azorult - Remcos + - Gozi Malware asset_type: Endpoint confidence: 80 impact: 50 diff --git a/stories/gozi_malware.yml b/stories/gozi_malware.yml new file mode 100644 index 0000000000..b9d5f9a037 --- /dev/null +++ b/stories/gozi_malware.yml @@ -0,0 +1,22 @@ +name: Gozi Malware +id: a7332538-bb18-421e-874e-a20c9fcc34e7 +version: 1 +date: '2024-07-24' +author: Michael Haag, Splunk +description: This analytic story covers the detection and analysis of Gozi malware, also known as Ursnif or ISFB. Gozi is one of the oldest and most persistent banking trojans, with a history dating back to 2000. It has undergone numerous evolutions and code forks, resulting in several active variants in recent years. +narrative: 'Gozi malware, first observed in 2006, has a complex lineage tracing back to the Ursnif/Snifula spyware from 2000. Over the years, it has evolved from a simple spyware to a sophisticated banking trojan, offered as Crimeware-as-a-Service (CaaS). Recent variants like Dreambot, IAP, RM2, RM3, and LDR4 demonstrate its ongoing development and threat. /n + + A typical Gozi infection may begin with a malicious ISO file delivery. Once executed, the malware conducts automatic discovery on the infected host and establishes persistence through registry run keys. In more advanced attacks, Gozi can serve as an initial access point for further malicious activities, including the deployment of additional payloads like Cobalt Strike. /n + + Post-infection activities may include credential theft, lateral movement, and the use of legitimate tools for persistence and remote access. Threat actors often leverage Gozi infections to conduct extensive reconnaissance, move laterally within networks, and potentially prepare for more severe attacks such as data exfiltration or ransomware deployment. /n + + Detection strategies should focus on identifying suspicious ISO files, unusual process executions (especially involving renamed system utilities), registry modifications, and network communications associated with Gozi''s command and control infrastructure. Additionally, monitoring for post-exploitation activities such as credential dumping, lateral movement attempts, and the deployment of remote management tools can help in early detection and mitigation of Gozi-related threats.' +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection + cve: [] \ No newline at end of file From e600d8cd87b7bbfd97c7caa43e9e684b3363f020 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Wed, 24 Jul 2024 14:39:35 -0600 Subject: [PATCH 2/4] Update gozi_malware.yml --- stories/gozi_malware.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/stories/gozi_malware.yml b/stories/gozi_malware.yml index b9d5f9a037..eb6fb2cebf 100644 --- a/stories/gozi_malware.yml +++ b/stories/gozi_malware.yml @@ -11,6 +11,9 @@ narrative: 'Gozi malware, first observed in 2006, has a complex lineage tracing Post-infection activities may include credential theft, lateral movement, and the use of legitimate tools for persistence and remote access. Threat actors often leverage Gozi infections to conduct extensive reconnaissance, move laterally within networks, and potentially prepare for more severe attacks such as data exfiltration or ransomware deployment. /n Detection strategies should focus on identifying suspicious ISO files, unusual process executions (especially involving renamed system utilities), registry modifications, and network communications associated with Gozi''s command and control infrastructure. Additionally, monitoring for post-exploitation activities such as credential dumping, lateral movement attempts, and the deployment of remote management tools can help in early detection and mitigation of Gozi-related threats.' +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi +- https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ tags: category: - Adversary Tactics From 89ebda2fed292334073b7b1cca3e68b32adf0232 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 25 Jul 2024 10:40:58 -0600 Subject: [PATCH 3/4] fix --- .../impacket_lateral_movement_commandline_parameters.yml | 1 - dev/endpoint/windows_iso_lnk_file_creation.yml | 1 - dev/endpoint/windows_phishing_recent_iso_exec_registry.yml | 1 - 3 files changed, 3 deletions(-) diff --git a/dev/endpoint/impacket_lateral_movement_commandline_parameters.yml b/dev/endpoint/impacket_lateral_movement_commandline_parameters.yml index 27778d3fa4..2f95e9e9e1 100644 --- a/dev/endpoint/impacket_lateral_movement_commandline_parameters.yml +++ b/dev/endpoint/impacket_lateral_movement_commandline_parameters.yml @@ -45,7 +45,6 @@ tags: - CISA AA22-277A - Prestige Ransomware - Volt Typhoon - - Gozi Malware asset_type: Endpoint confidence: 70 impact: 90 diff --git a/dev/endpoint/windows_iso_lnk_file_creation.yml b/dev/endpoint/windows_iso_lnk_file_creation.yml index 6a74954cd1..bb72102d92 100644 --- a/dev/endpoint/windows_iso_lnk_file_creation.yml +++ b/dev/endpoint/windows_iso_lnk_file_creation.yml @@ -43,7 +43,6 @@ tags: - IcedID - Azorult - Remcos - - Gozi Malware asset_type: Endpoint confidence: 50 impact: 80 diff --git a/dev/endpoint/windows_phishing_recent_iso_exec_registry.yml b/dev/endpoint/windows_phishing_recent_iso_exec_registry.yml index ce89c6d9f4..40887ce100 100644 --- a/dev/endpoint/windows_phishing_recent_iso_exec_registry.yml +++ b/dev/endpoint/windows_phishing_recent_iso_exec_registry.yml @@ -40,7 +40,6 @@ tags: - IcedID - Azorult - Remcos - - Gozi Malware asset_type: Endpoint confidence: 80 impact: 50 From f740c7e17d9cb0114b5fa7617d7d7cd05d2515b6 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 26 Jul 2024 10:26:00 -0500 Subject: [PATCH 4/4] remove /n --- stories/gozi_malware.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/stories/gozi_malware.yml b/stories/gozi_malware.yml index eb6fb2cebf..5f54cdc3f4 100644 --- a/stories/gozi_malware.yml +++ b/stories/gozi_malware.yml @@ -4,11 +4,11 @@ version: 1 date: '2024-07-24' author: Michael Haag, Splunk description: This analytic story covers the detection and analysis of Gozi malware, also known as Ursnif or ISFB. Gozi is one of the oldest and most persistent banking trojans, with a history dating back to 2000. It has undergone numerous evolutions and code forks, resulting in several active variants in recent years. -narrative: 'Gozi malware, first observed in 2006, has a complex lineage tracing back to the Ursnif/Snifula spyware from 2000. Over the years, it has evolved from a simple spyware to a sophisticated banking trojan, offered as Crimeware-as-a-Service (CaaS). Recent variants like Dreambot, IAP, RM2, RM3, and LDR4 demonstrate its ongoing development and threat. /n +narrative: 'Gozi malware, first observed in 2006, has a complex lineage tracing back to the Ursnif/Snifula spyware from 2000. Over the years, it has evolved from a simple spyware to a sophisticated banking trojan, offered as Crimeware-as-a-Service (CaaS). Recent variants like Dreambot, IAP, RM2, RM3, and LDR4 demonstrate its ongoing development and threat. - A typical Gozi infection may begin with a malicious ISO file delivery. Once executed, the malware conducts automatic discovery on the infected host and establishes persistence through registry run keys. In more advanced attacks, Gozi can serve as an initial access point for further malicious activities, including the deployment of additional payloads like Cobalt Strike. /n + A typical Gozi infection may begin with a malicious ISO file delivery. Once executed, the malware conducts automatic discovery on the infected host and establishes persistence through registry run keys. In more advanced attacks, Gozi can serve as an initial access point for further malicious activities, including the deployment of additional payloads like Cobalt Strike. - Post-infection activities may include credential theft, lateral movement, and the use of legitimate tools for persistence and remote access. Threat actors often leverage Gozi infections to conduct extensive reconnaissance, move laterally within networks, and potentially prepare for more severe attacks such as data exfiltration or ransomware deployment. /n + Post-infection activities may include credential theft, lateral movement, and the use of legitimate tools for persistence and remote access. Threat actors often leverage Gozi infections to conduct extensive reconnaissance, move laterally within networks, and potentially prepare for more severe attacks such as data exfiltration or ransomware deployment. Detection strategies should focus on identifying suspicious ISO files, unusual process executions (especially involving renamed system utilities), registry modifications, and network communications associated with Gozi''s command and control infrastructure. Additionally, monitoring for post-exploitation activities such as credential dumping, lateral movement attempts, and the deployment of remote management tools can help in early detection and mitigation of Gozi-related threats.' references: @@ -22,4 +22,4 @@ tags: - Splunk Enterprise Security - Splunk Cloud usecase: Advanced Threat Detection - cve: [] \ No newline at end of file + cve: []