In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest.

Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms, recognizing the lucrative nature of these sectors.

The history of Gozi

In 2006, a Russian developer named Nikita Kurmin created the first version of Gozi CRM. While developing the malware, Kurmin borrowed code from another spyware called Ursnif, also known as Snifula, developed by Alexey Ivanov around 2000. As a result, Gozi v1.0 featured a formgrabber module and was often classified as Ursnif/Snifula due to the shared codebase. With these capabilities, Gozi CRM quickly gained attention in the cybercriminal community.

In September 2010, a significant event occurred that would shape the future of Gozi. The source code of a specific Gozi CRM dynamic link library (DLL) version was leaked, exposing its inner workings to the wider world. This leak had far-reaching consequences, as it enabled the creation of new malware strains that leveraged Gozi’s codebase.

In June 2023, Mihai Ionut Paunescu, a Romanian hacker, was sentenced to three years in U.S. federal prison for his role in running a “bulletproof hosting” service called PowerHost[.]ro. This service aided cybercriminals in distributing various malware strains, including Gozi Virus, Zeus Trojan, SpyEye Trojan and BlackEnergy malware.

New Gozi campaigns aim high

Cryptocurrency companies are an attractive target, and the latest iteration of Gozi has brought new elements to its modus operandi. Notably, it is now spreading across Asia, broadening its reach beyond its previous target regions.

A key weapon in Gozi’s arsenal is the use of web injects. These malicious code injections are designed to modify the content of legitimate websites, making them appear genuine to unsuspecting users. By mimicking legitimate login pages or transaction forms, Gozi tricks users into entering their credentials and financial information, unknowingly providing them directly to the attackers.

Figure 1 — Targeted list from Gozi configuration

We covered Gozi’s recent campaign targeted at Italian banks in this report.

Figure 2 — Gozi attacker asking the victim to generate a security code from a mobile application

Additionally, Gozi has targeted various companies associated with cryptocurrency, such as cryptocurrency exchanges, wallets and blockchain service providers, aiming to exploit the lucrative nature of the digital currency industry. These developments mark a significant expansion in the geographical and sectoral scope of Gozi’s cyberattacks.

Asia has been a significant hub for cryptocurrency trading and exchanges. The cryptocurrency exchange platforms based there may be attractive targets due to the potential for financial gain and the high value of digital assets.

Gozi malware can target the login credentials of cryptocurrency exchange platforms. By stealing usernames, passwords and two-factor authentication codes, cybercriminals can gain unauthorized access to user accounts, facilitating unauthorized trading or funds withdrawal.

How to avoid Gozi malware

Here are some recommendations to avoid Gozi malware and protect yourself from similar threats:

  • Be wary of email links. Exercise caution when opening email attachments or clicking on links, especially if they come from unknown or suspicious sources. Be particularly vigilant for phishing emails that may attempt to trick you into downloading malware.
  • Increase your password security. Create strong and unique passwords for all your online accounts, including cryptocurrency exchanges and wallets. Avoid using easily guessable information and consider using a reliable password manager to securely store and manage your passwords.
  • Remain vigilant online. Pay attention to any unusual behavior or unexpected requests when accessing websites, especially financial or cryptocurrency-related platforms. If you encounter unexpected pop-ups, requests for additional personal information, or changes in website appearance, it could be a sign of a web inject attempting to deceive you.
  • Stay informed about the latest cybersecurity threats and best practices. Familiarize yourself with common techniques used by cybercriminals, such as phishing scams and social engineering, to avoid falling victim to their tactics.

One of the best tools to detect Gozi malware and protect your organization is IBM Security Trusteer Pinpoint Detect. The tool uses artificial intelligence and machine learning to protect digital channels against account takeover and fraudulent transactions and detect user devices infected with high-risk malware. Learn more here.

Indicators of compromise

C&C

hxxps://gestorbancasrl.com

hxxps://gestorbancosrl.com

hxxps://avas1ta.com/in

hxxps://avas1t.de/in

hxxps://njamma.com

hxxps://itgjmfgdzxcv.com

MD5

471d596dad7ca027a44b21f3c3a2a0d9

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today