• Skip to content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Cyber Threat Defense

Cyber Security News

You are here: Home / Bot Defense / Gozi Trojan Using Dark Cloud Botnet

Gozi Trojan Using Dark Cloud Botnet

March 9, 2018 By News Team Leave a Comment

The Gozi ISFB banking Trojan is being distributed via the ‘Dark Cloud’ botnet, according to researchers at Cisco Talos in a new report out this week. Gozi ISFB has been known as a threat for the past several years as a kind of malware, which attackers exploit to try and obtain banking credentials from customers of certain financial institutions. Its source has been publicly leaked several times, and thus integrated into various additional malware, including GozNym.

Talos has been closely monitoring Gozi ISFB activity since 2016, and has found a series of campaigns over the last six months, which have made use of the ‘Dark Cloud’ botnet for distribution purposes. While investigating this, Talos has “identified a significant amount of malicious activity making use of this same infrastructure, including Gozi ISFB distribution, Nymaim command and control, and a variety of different spam campaigns and scam activity”.

The Dark Cloud botnet is appealing to attackers as it uses its hijacked computers to change the domain name server (DNS) of hosted activities every few minutes. Analysis of a single website showed that Dark Cloud used 287 different IP addresses over just one day, equivalent to a rotation every five minutes, making it extremely challenging for the hackers behind the botnet to be tracked down.

“This demonstrates just how fluid the DNS configuration associated with these domains is and how much infrastructure is being used by these attackers,” said the Talos researchers.

The distribution of the Gozi malware is actually more restrained than in many other instances of malware campaign. The attackers are selecting particular organizations to assault with custom messages and attachments, in an attempt to avoid detection while increasing the likelihood that the target will open the attachments. Even the lure documents are individualized, revealing the amount of effort going into the campaign.

If the Word document is actually opened, the user has to “enable content” to see the file. If they do so, then Gozi is downloaded from their C&C server and installed onto the machine.

Even though Gozi is the primary focus of this hacking group, Talos says it is likely that additional payloads will also be distributed as an insurance policy in case the malware ever becomes redundant. However, the use of the Dark Cloud botnet is intended to ensure that Gozi remains undetected and therefore profitable for as long as possible.

“Attackers are continuing to modify their techniques and finding effective new ways to obfuscate their malicious server infrastructure in an attempt to make analysis and tracking more difficult,” said Talos researchers, who added that Gozi “will not be going away any time soon”.

Filed Under: Bot Defense, Malware Tagged With: banking trojan, botnet, Cisco Talos, Dark Cloud, Gozi, Malware, Ursnif/Gozi-ISFB sample

Primary Sidebar

Recent Articles

  • How Profits Inspires Virus Developers
  • What’s Propelling A10 Networks Inc (NYSE: ATEN) After Higher Shorts Reported?
  • FacexWorm Targets Facebook Messenger
  • Cisco Systems Webex Flaws Allows Remote Users To Execute Code
  • Europe sees Radical Drop in DDoS Attacks Since Seizure of Webstresser Site

Categories

  • Application Security
  • Bitcoin
  • Bot Defense
  • Browser Security
  • Business Models
  • Critical infrastructure
  • Cryptocurrencies
  • Cryptojacking
  • Cryptomining
  • Cybercrime
  • cybersecurity
  • Data Breach
  • Data Theft
  • DDoS
  • Endpoint Security
  • Espionage
  • Feature
  • Firewall
  • Fraud
  • Government
  • Hacking
  • Hacking Tools
  • IoT
  • Layer7
  • Leaks
  • Malware
  • Mining
  • Mobile security
  • Point of Sale Devices
  • Quantum Encryption
  • Quantum Security
  • Ransomware
  • Routing
  • Uncategorized
  • Vault7
  • Vault8
  • Vulnerabilities
  • Wikileaks

Secondary Sidebar

Cyber Threat Defense.net | Copyright © 2019 All product names, logos, and brands are property of their respective owners. All company, product and service names used on site are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.