One of most notable malware shifts of last year, according to the IBM X-Force Threat Intelligence Index 2018 report, involved the rise in Gozi (aka Ursnif) variants to the top of the most active financial malware list in 2017. Zeus variants had been the most active financial malware family in the wild for the last couple of years.

In the first quarter of 2018, Gozi was observed consuming an even larger piece of the financial malware pie, and that trend continues as we enter Q2. It has even added a new trick up its sleeve: distributing IcedID, a banking Trojan discovered by X-Force researchers in September 2017.

Gozi’s Slow and Steady Climb to the Top

The Gozi banking Trojan was first discovered in 2007 when it was operated by a closed group of developers and cybercriminals, but it has since evolved and proliferated. The malware’s code was leaked in 2010, which led to its reuse in subsequent Gozi operations. It was later adopted as the core code for several other Trojans, including Neverquest and GozNym.

Nearly a decade after is discovery, Gozi began increasing in prevalence, becoming the third- and then the second-most prevalent malware family globally. One catalyst for this rise was the abrupt decline of Neverquest activity in 2017. The Neverquest Trojan is from a cybercrime-as-a-service gang that had been part of the crimeware arena since 2013.

Another reason for Gozi’s increasing presence has to do with its widening geographical scope. The malware is performing massive infections worldwide, and X-Force researchers suspect it is being operated by different actors based on their code, behavioral deployment and target location. In 2017, for example, Gozi presented configurations targeting banks in Bulgaria, Poland, Spain and the Czech Republic, in addition to its established target regions in North America, Australia and Japan.

Full Steam Ahead in 2018

Taking a look at the financial crimeware arena for Q1 2018, we see that Gozi is still the top-ranked Trojan. It made up 28 percent of the activity, up 5 percent from the full year view for 2017. However, Zeus activity is also up 4 percent over last year. Relative activity volumes for other financial malware families, such as Dridex and Ramnit, have dropped noticeably — down 4 percent and 8 percent, respectively.

Figure 1: Most prevalent financial malware families, Q1 2018 (Source: IBM X-Force)

Interestingly, our incident response teams in North America have predominantly encountered QakBot (aka PinkSlip), the seventh-ranked financial malware family on the list above, and Emotet. In 2017, X-Force Incident Response and Intelligence Services (IRIS) responders observed a wave of QakBot-induced Active Directory (AD) lockouts across several incident response engagements. The Emotet malware was found distributing IcedID last year, among other banking Trojans. According to X-Force research, Emotet’s most prominent attack zone is the U.S. To a lesser extent, it also targets users in the U.K. and other parts of the world.

Financial Malware Outlook

Gozi’s continued dominance proves that cybercrime has moved on from commercial and fly-by-night malware operators and that organized, businesslike gangs are taking the lead in 2018.

Is there room for surprise? Always. Take IcedID, for example. Not too long after X-Force’s discovery last year, it appeared that the group operating IcedID had taken a step back and reduced its activity significantly. IcedID did not make the 2017 list of the most prevalent financial malware, but it did pop up in the 10th spot for Q1 2018 with 3 percent of the relative activity volume. A recent third-party report noted that the IcedID gang is cooperating with the capabilities of Gozi to distribute and load other malware, which X-Force has confirmed to be the case.

To learn how to minimize the risk associated with banking Trojans such as Gozi, refer to our malware mitigation tips. Financial institutions can also help protect their customers against these threats by adopting fraud protection solutions powered by cognitive analytics.

Read Our Malware Mitigation Tips Now

More from Banking & Finance

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today