The Gozi ISFB banking Trojan is being distributed via the ‘Dark Cloud’ botnet, according to researchers at Cisco Talos in a new report out this week. Gozi ISFB has been known as a threat for the past several years as a kind of malware, which attackers exploit to try and obtain banking credentials from customers of certain financial institutions. Its source has been publicly leaked several times, and thus integrated into various additional malware, including GozNym.
Talos has been closely monitoring Gozi ISFB activity since 2016, and has found a series of campaigns over the last six months, which have made use of the ‘Dark Cloud’ botnet for distribution purposes. While investigating this, Talos has “identified a significant amount of malicious activity making use of this same infrastructure, including Gozi ISFB distribution, Nymaim command and control, and a variety of different spam campaigns and scam activity”.
The Dark Cloud botnet is appealing to attackers as it uses its hijacked computers to change the domain name server (DNS) of hosted activities every few minutes. Analysis of a single website showed that Dark Cloud used 287 different IP addresses over just one day, equivalent to a rotation every five minutes, making it extremely challenging for the hackers behind the botnet to be tracked down.
“This demonstrates just how fluid the DNS configuration associated with these domains is and how much infrastructure is being used by these attackers,” said the Talos researchers.
The distribution of the Gozi malware is actually more restrained than in many other instances of malware campaign. The attackers are selecting particular organizations to assault with custom messages and attachments, in an attempt to avoid detection while increasing the likelihood that the target will open the attachments. Even the lure documents are individualized, revealing the amount of effort going into the campaign.
If the Word document is actually opened, the user has to “enable content” to see the file. If they do so, then Gozi is downloaded from their C&C server and installed onto the machine.
Even though Gozi is the primary focus of this hacking group, Talos says it is likely that additional payloads will also be distributed as an insurance policy in case the malware ever becomes redundant. However, the use of the Dark Cloud botnet is intended to ensure that Gozi remains undetected and therefore profitable for as long as possible.
“Attackers are continuing to modify their techniques and finding effective new ways to obfuscate their malicious server infrastructure in an attempt to make analysis and tracking more difficult,” said Talos researchers, who added that Gozi “will not be going away any time soon”.