Gozi: The Malware of a Thousand Viral Strains
13:30 – 14:00(SGT) Friday 4 December, 2020
The Gozi sources leaked in 2010, and since then the landscape has been pure chaos. Derivatives of the leak, and derivatives of those derivatives, are constantly being developed, bought, sold and released. This results in a very diverse malware corpus in terms of technical specs, as well as in terms of the typical shape that the underlying malicious operation takes. Yet this entire corpus is known, collectively and interchangeably, as “Gozi”, “Ursnif”, “Dreambot” and “ISFB”. If you dig down a bit more, you get to hear that actually there’s a version 2 as well as a version 3, and a “version 2 RM3” which is different from both of those. Some of these like to social engineer victims with COVID-19 themed malspam, others prefer to pretend they’re packages from DHL. In short, it’s a complete mess.
In this talk, we do our part to help sort out this mess. We lay out in detail the currently active strains of Gozi, and sketch a genealogy of variants — including the technical features that set each variant apart and can be used as IOCs. We then provide a rare glimpse into the backend of the many Gozi campaigns and the various actors involved — including the typical strain of Gozi used, typical methods of operation, typical victims and typical campaign infrastructure such as C&C server topology and webpanel sources used by the campaign ringleaders.
Check Point Software
Ben Herzog is a maths aficionado working undercover at Check Point as a security researcher. His interests include Cryptography, Reverse Engineering and Machine Learning. He majored in mathematics and computer science at the Technion, and has been serving as course staff for Check Point Security Academy for several years, teaching Cryptography and Malware Analysis.
Check Point Software
Israel Gubi is a Security Researcher and Reverse Engineer in the Malware Research Team at Check Point Research. Israel has joined Check Point in 2017 and was part of the first cycle of the Check Point Security Academy. Israel mainly focuses on malware analysis and malwarehunting of both cybercrime and Advanced Persistent Threat campaigns. In his free time, Israel loves any kind of sports, especially tennis and bouldering.
Sponsors and Supporting Organizations
Networking Lounge Sponsor