splunk · patel-bhavin · Jul 26, 2024 · Jul 24, 2024 · Jul 24, 2024 · Jul 25, 2024
@@ -47,6 +47,7 @@ tags:
   - DarkSide Ransomware
   - Living Off The Land
   - Flax Typhoon
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 70
   impact: 70

@@ -54,6 +54,7 @@ tags:
   - Qakbot
   - CISA AA22-277A
   - CISA AA23-347A
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 80
   impact: 70

@@ -43,6 +43,7 @@ tags:
   - BlackByte Ransomware
   - Graceful Wipe Out Attack
   - LockBit Ransomware
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 90
   impact: 80

@@ -43,6 +43,7 @@ tags:
   analytic_story:
   - Suspicious MSHTA Activity
   - Living Off The Land
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 100
   impact: 90

@@ -40,6 +40,7 @@ tags:
   - Insider Threat
   - Command And Control
   - Ransomware
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 50
   impact: 50

@@ -35,6 +35,7 @@ tags:
   - Insider Threat
   - Command And Control
   - Ransomware
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 50
   impact: 50

@@ -45,6 +45,7 @@ tags:
   - Insider Threat
   - Command And Control
   - Ransomware
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 50
   impact: 50

@@ -30,6 +30,7 @@ tags:
   analytic_story:
   - Active Directory Discovery
   - CISA AA22-320A
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 50
   impact: 30

@@ -56,6 +56,7 @@ tags:
   - Graceful Wipe Out Attack
   - Industroyer2
   - Data Destruction
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 70
   impact: 90

@@ -56,6 +56,7 @@ tags:
   - Graceful Wipe Out Attack
   - Industroyer2
   - Data Destruction
+  - Gozi Malware
   asset_type: Endpoint
   atomic_guid: []
   confidence: 70

@@ -41,6 +41,7 @@ references:
 tags:
   analytic_story:
   - BITS Jobs
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 80
   impact: 70

@@ -42,6 +42,7 @@ tags:
   - Qakbot
   - IcedID
   - Amadey
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 90
   impact: 70

@@ -40,6 +40,7 @@ references:
 tags:
   analytic_story:
   - Windows Discovery Techniques
+  - Gozi Malware
   asset_type: Windows
   confidence: 50
   impact: 30

@@ -33,6 +33,7 @@ tags:
   - Chaos Ransomware
   - NjRAT
   - RedLine Stealer
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 90
   impact: 90

@@ -25,6 +25,7 @@ tags:
   analytic_story:
   - Active Directory Kerberos Attacks
   - Active Directory Privilege Escalation
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 100
   impact: 80

@@ -44,6 +44,7 @@ tags:
   - Remcos
   - Warzone RAT
   - Amadey
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 50
   impact: 80

@@ -44,6 +44,7 @@ tags:
   - Azorult
   - Remcos
   - Warzone RAT
+  - Gozi Malware
   asset_type: Endpoint
   confidence: 80
   impact: 50

@@ -0,0 +1,25 @@
+name: Gozi Malware
+id: a7332538-bb18-421e-874e-a20c9fcc34e7
+version: 1
+date: '2024-07-24'
+author: Michael Haag, Splunk
+description: This analytic story covers the detection and analysis of Gozi malware, also known as Ursnif or ISFB. Gozi is one of the oldest and most persistent banking trojans, with a history dating back to 2000. It has undergone numerous evolutions and code forks, resulting in several active variants in recent years.
+narrative: 'Gozi malware, first observed in 2006, has a complex lineage tracing back to the Ursnif/Snifula spyware from 2000. Over the years, it has evolved from a simple spyware to a sophisticated banking trojan, offered as Crimeware-as-a-Service (CaaS). Recent variants like Dreambot, IAP, RM2, RM3, and LDR4 demonstrate its ongoing development and threat.
+
+  A typical Gozi infection may begin with a malicious ISO file delivery. Once executed, the malware conducts automatic discovery on the infected host and establishes persistence through registry run keys. In more advanced attacks, Gozi can serve as an initial access point for further malicious activities, including the deployment of additional payloads like Cobalt Strike.
+
+  Post-infection activities may include credential theft, lateral movement, and the use of legitimate tools for persistence and remote access. Threat actors often leverage Gozi infections to conduct extensive reconnaissance, move laterally within networks, and potentially prepare for more severe attacks such as data exfiltration or ransomware deployment.
+
+  Detection strategies should focus on identifying suspicious ISO files, unusual process executions (especially involving renamed system utilities), registry modifications, and network communications associated with Gozi''s command and control infrastructure. Additionally, monitoring for post-exploitation activities such as credential dumping, lateral movement attempts, and the deployment of remote management tools can help in early detection and mitigation of Gozi-related threats.'
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
+- https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
+  cve: []