<— Back

Gozi: The Malware of a Thousand Viral Strains

13:30 – 14:00(SGT) Friday 4 December, 2020

The Gozi sources leaked in 2010, and since then the landscape has been pure chaos. Derivatives of the leak, and derivatives of those derivatives, are constantly being developed, bought, sold and released. This results in a very diverse malware corpus in terms of technical specs, as well as in terms of the typical shape that the underlying malicious operation takes. Yet this entire corpus is known, collectively and interchangeably, as “Gozi”, “Ursnif”, “Dreambot” and “ISFB”. If you dig down a bit more, you get to hear that actually there’s a version 2 as well as a version 3, and a “version 2 RM3” which is different from both of those. Some of these like to social engineer victims with COVID-19 themed malspam, others prefer to pretend they’re packages from DHL. In short, it’s a complete mess.

In this talk, we do our part to help sort out this mess. We lay out in detail the currently active strains of Gozi, and sketch a genealogy of variants — including the technical features that set each variant apart and can be used as IOCs. We then provide a rare glimpse into the backend of the many Gozi campaigns and the various actors involved — including the typical strain of Gozi used, typical methods of operation, typical victims and typical campaign infrastructure such as C&C server topology and webpanel sources used by the campaign ringleaders.