| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Actor(s): GOLD CABIN
URLhaus2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
In September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.
The other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.
There is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.
ISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.
In April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.
See win.gozi for additional historical information.
| 2023-03-19 ⋅ 0xToxin Labs ⋅ Gozi - Italian ShellCode Dance Gozi ISFB |
| 2023-02-08 ⋅ NTT Security ⋅ SteelClover Attacks Distributing Malware Via Google Ads Increased BATLOADER ISFB RedLine Stealer |
| 2023-01-09 ⋅ The DFIR Report ⋅ Unwrapping Ursnifs Gifts ISFB |
| 2022-08-08 ⋅ Medium CSIS Techblog ⋅ An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader |
| 2022-06-24 ⋅ Group-IB ⋅ We see you, Gozi Hunting the latest TTPs used for delivering the Trojan ISFB |
| 2022-06-07 ⋅ McAfee ⋅ Phishing Campaigns featuring Ursnif Trojan on the Rise ISFB |
| 2022-05-19 ⋅ IBM ⋅ ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups IcedID ISFB Mount Locker |
| 2022-05-09 ⋅ Microsoft ⋅ Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT |
| 2022-05-08 ⋅ Qualys ⋅ Ursnif Malware Banks on News Events for Phishing Attacks ISFB |
| 2022-04-14 ⋅ Avast Decoded ⋅ Zloader 2: The Silent Night ISFB Raccoon Zloader |
| 2022-01-11 ⋅ Medium walmartglobaltech ⋅ Signed DLL campaigns as a service BATLOADER Cobalt Strike ISFB Zloader |
| 2021-10-25 ⋅ Cleafy ⋅ Digital banking fraud: how the Gozi malware works ISFB |
| 2021-09-29 ⋅ Proofpoint ⋅ TA544 Targets Italian Organizations with Ursnif Malware ISFB |
| 2021-09-03 ⋅ Trend Micro ⋅ The State of SSL/TLS Certificate Usage in Malware C&C Communications AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
| 2021-07-30 ⋅ HP ⋅ Detecting TA551 domains Valak Dridex IcedID ISFB QakBot |
| 2021-06-30 ⋅ The Record ⋅ Gozi malware gang member arrested in Colombia Gozi ISFB |
| 2021-06-23 ⋅ IBM ⋅ Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy ISFB |
| 2021-05-26 ⋅ DeepInstinct ⋅ A Deep Dive into Packing Software CryptOne Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader |
| 2021-05-10 ⋅ Mal-Eats ⋅ Overview of Campo, a new attack campaign targeting Japan AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader |
| 2021-05-04 ⋅ NCC Group ⋅ RM3 – Curiosities of the wildest banking malware ISFB RM3 |
| 2021-05-04 ⋅ Fox-IT ⋅ RM3 – Curiosities of the wildest banking malware ISFB |
| 2021-04-12 ⋅ PTSecurity ⋅ PaaS, or how hackers evade antivirus software Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader |
| 2021-04-06 ⋅ Intel 471 ⋅ EtterSilent: the underground’s new favorite maldoc builder BazarBackdoor ISFB QakBot TrickBot |
| 2021-02-03 ⋅ ZDNet ⋅ Ursnif Trojan has targeted over 100 Italian banks ISFB Snifula |
| 2021-01-12 ⋅ Fortinet ⋅ New Variant of Ursnif Continuously Targeting Italy ISFB |
| 2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
| 2021-01-08 ⋅ 0xC0DECAFE ⋅ The malware analyst’s guide to aPLib decompression ISFB Rovnix |
| 2020-11-27 ⋅ malware.love ⋅ Having fun with a Ursnif VBS dropper ISFB Snifula |
| 2020-11-26 ⋅ Cybereason ⋅ Cybereason vs. Egregor Ransomware Cobalt Strike Egregor IcedID ISFB QakBot |
| 2020-10-29 ⋅ CERT-FR ⋅ LE MALWARE-AS-A-SERVICE EMOTET Dridex Emotet ISFB QakBot |
| 2020-10-15 ⋅ Department of Justice ⋅ Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals Dridex ISFB TrickBot |
| 2020-09-02 ⋅ Cisco Talos ⋅ Salfram: Robbing the place without removing your name tag Ave Maria ISFB SmokeLoader Zloader |
| 2020-08-28 ⋅ Checkpoint ⋅ Gozi: The Malware with a Thousand Faces DreamBot ISFB LOLSnif SaiGon |
| 2020-08 ⋅ TG Soft ⋅ TG Soft Cyber - Threat Report DarkComet Darktrack RAT Emotet ISFB |
| 2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Botnet Threat Update Q2 2020 AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader |
| 2020-07-29 ⋅ ESET Research ⋅ THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor |
| 2020-07-23 ⋅ Darktrace ⋅ The resurgence of the Ursnif banking trojan ISFB Snifula |
| 2020-07-22 ⋅ SentinelOne ⋅ Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW) ISFB Maze TrickBot Zloader |
| 2020-07-18 ⋅ Hornetsecurity ⋅ Firefox Send sends Ursnif malware ISFB |
| 2020-07-17 ⋅ CERT-FR ⋅ The Malware Dridex: Origins and Uses Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus |
| 2020-07-01 ⋅ Cisco Talos ⋅ Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks Valak IcedID ISFB MyKings Spreader |
| 2020-07-01 ⋅ TG Soft ⋅ Cyber-Threat Report on the cyber attacks of June 2020 in Italy Avaddon ISFB |
| 2020-06-24 ⋅ Morphisec ⋅ Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex Dridex ISFB QakBot Zloader |
| 2020-06-23 ⋅ NCC Group ⋅ WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Cobalt Strike ISFB WastedLocker |
| 2020-06-17 ⋅ Youtube (Red Canary) ⋅ ATT&CK® Deep Dive: Process Injection ISFB Ramnit TrickBot |
| 2020-06-02 ⋅ Lastline Labs ⋅ Evolution of Excel 4.0 Macro Weaponization Agent Tesla DanaBot ISFB TrickBot Zloader |
| 2020-06-02 ⋅ Morphisec ⋅ Ursnif/Gozi Delivery - Excel Macro 4.0 Utilization Uptick & OCR Bypass ISFB |
| 2020-05-07 ⋅ Github (mlodic) ⋅ Ursnif beacon decryptor Gozi ISFB |
| 2020-03-30 ⋅ Intezer ⋅ Fantastic payloads and where we find them Dridex Emotet ISFB TrickBot |
| 2020-03-18 ⋅ Proofpoint ⋅ Coronavirus Threat Landscape Update Agent Tesla Get2 ISFB Remcos |
| 2020-03-04 ⋅ CrowdStrike ⋅ 2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
| 2020-03-03 ⋅ PWC UK ⋅ Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA |
| 2020-01-23 ⋅ SANS ISC InfoSec Forums ⋅ German language malspam pushes Ursnif ISFB |
| 2020-01-22 ⋅ The malware analyst’s guide to PE timestamps Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP |
| 2020-01-17 ⋅ Battle Against Ursnif Malspam Campaign targeting Japan Cutwail ISFB TrickBot UrlZone |
| 2019-12-24 ⋅ Sophos ⋅ Gozi V3: tracked by their own stealth ISFB |
| 2019-12-23 ⋅ Palo Alto Networks Unit 42 ⋅ Wireshark Tutorial: Examining Ursnif Infections ISFB |
| 2019-12-07 ⋅ Secureworks ⋅ End-to-end Botnet Monitoring... Botconf 2019 Emotet ISFB QakBot |
| 2019-08-07 ⋅ Fortinet ⋅ New Ursnif Variant Spreading by Word Document ISFB |
| 2019-07-11 ⋅ Proofpoint ⋅ Threat Actor Profile: TA544 targets geographies from Italy to Japan with a range of malware ISFB PandaBanker UrlZone NARWHAL SPIDER |
| 2019-06-25 ⋅ VMRay ⋅ Analyzing Ursnif’s Behavior Using a Malware Sandbox ISFB |
| 2019-06-19 ⋅ Proofpoint ⋅ URLZone top malware in Japan, while Emotet and LINE Phishing round out the landscape ISFB UrlZone NARWHAL SPIDER |
| 2019-05-25 ⋅ 0ffset Blog ⋅ Analyzing ISFB – The Second Loader ISFB |
| 2019-04-06 ⋅ Youtube (hasherezade) ⋅ Unpacking ISFB (including the custom 'PX' format) ISFB |
| 2019-04-05 ⋅ Yoroi ⋅ Ursnif: The Latest Evolution of the Most Popular Banking Malware ISFB |
| 2019-03-26 ⋅ Yoroi ⋅ The Ursnif Gangs keep Threatening Italy ISFB |
| 2019-03-13 ⋅ 0ffset Blog ⋅ Analysing ISFB – The First Loader ISFB |
| 2019-03-12 ⋅ Cybereason ⋅ New Ursnif Variant targets Japan packed with new Features ISFB UrlZone |
| 2019-03-11 ⋅ Minerva ⋅ Attackers Insert Themselves into the Email Conversation to Spread Malware ISFB |
| 2019-02-07 ⋅ Yoroi ⋅ Ursnif: Long Live the Steganography! ISFB |
| 2019-01-30 ⋅ Cyberbit ⋅ New Ursnif Malware Variant – a Stunning Matryoshka (Матрёшка) ISFB |
| 2019-01-24 ⋅ Cisco Talos ⋅ Cisco AMP tracks new campaign that delivers Ursnif ISFB |
| 2019-01-15 ⋅ 0ffset Blog ⋅ Analyzing COMmunication in Malware ISFB |
| 2019 ⋅ CSIS ⋅ Dreambot Business overview 2019 ISFB |
| 2018-12-18 ⋅ Trend Micro ⋅ URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader Dridex Emotet FriedEx ISFB |
| 2018-05-17 ⋅ Fidelis ⋅ Gozi V3 Technical Update ISFB |
| 2018-03-19 ⋅ Unpacking Ursnif ISFB |
| 2018-03-06 ⋅ Cisco Talos ⋅ Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution ISFB |
| 2018-02-07 ⋅ Cylance ⋅ Threat Spotlight: URSNIF Infostealer Malware ISFB |
| 2018-01-17 ⋅ SANS ISC ⋅ Reviewing the spam filters: Malspam pushing Gozi-ISFB ISFB |
| 2018-01-12 ⋅ Proofpoint ⋅ Holiday lull? Not so much Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER |
| 2017-11-28 ⋅ FireEye ⋅ Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection ISFB |
| 2017-07-02 ⋅ CERT.PL ⋅ ISFB: Still Live and Kicking ISFB |
| 2017-05-29 ⋅ Lokalhost.pl ⋅ Gozi Tree DreamBot Gozi ISFB Powersniff |
| 2017-04-20 ⋅ Malwarebytes ⋅ Binary Options malvertising campaign drops ISFB banking Trojan ISFB |
| 2016-11-01 ⋅ Ariel Koren's Blog ⋅ Ursnif Malware: Deep Technical Dive ISFB |
| 2016-04-14 ⋅ SecurityIntelligence ⋅ Meet GozNym: The Banking Malware Offspring of Gozi ISFB and Nymaim ISFB Nymaim GozNym |
| 2016-03-23 ⋅ Github (gbrindisi) ⋅ Gozi ISFB Sourceccode ISFB |