Gozi Goes to Bulgaria — Is Cybercrime Heading to Less Charted Territory?

In what appears to be a trend, another banking Trojan is  ready to attack in Eastern Europe. This time it is the Gozi/ISFB Trojan, which just added 9 major banks in Bulgaria to its list of targets.

What’s New?

In early-August 2015, IBM Security X-Force researchers analyzed a new Gozi Trojan configuration file that is, according to our data, the first one dedicated to exclusively targeting Bulgarian banks. Previous versions of this malware attack in the US, UK, AU, as well as Saudi Arabia and the Persian Gulf, but this is a first for Bulgaria.

Our analysis reveals that Gozi’s developers have expanded the capabilities and reach of the malware by updating its web injections to match the Bulgarian banks they are targeting.

Bulgaria and Cybercrime

When it comes to cybercrime, rather than being a popular target, Bulgaria is more known for its locally-based perpetrators, making the headlines in cases of Internet fraud, payment card fraud, ATM fraud and the like. In a fraud update report released last year by the European ATM Security Team (EAST), Bulgaria was named as home to a “significant Bulgarian organized crime network suspected of a variety of crimes including large scale ATM skimming, electronic payment fraud and forgery of documents.”
As a victim of cybercrime, Bulgaria is not often on the attackers’ roster, and losses the country incurs as a result of cyber-borne threats are not widely documented. The most common issue banks suffer from in Bulgaria is accounts used as money mules to withdraw and launder funds that come from other countries. The most recent mention of banks in Bulgaria suffering cybercrime losses appeared when the Carbanak heist was uncovered, alongside a long list of other banks from all over the world.

Bulgaria’s Chief Directorate for Combating Organized Crime, Vasil Petkov, was quoted as saying, “Fortunately, cybercrime in Bulgaria is not world-class, perhaps because the cybercriminals do not see a big target here.” But the country still experiences some cybercrime and ransomware attacks, and its businesses are targeted for their corporate bank accounts.

With Gozi tuning up its configuration to begin attacking Bulgaria, are things starting to change? Earlier this year, in a meeting with the director of the FBI, the Bulgarian prime minister agreed that online crimes are a growing problem in the country. This may just be a sign that things are indeed heating up.

About Gozi

The Gozi Trojan, also known as ISFB and Ursnif, is one of the longest-standing banking Trojans in the wild today. It was first discovered in 2007, when it was operated by a closed group of malware developers and fraudsters for online banking wire fraud, mostly targeting English-speaking countries.

In September 2010, Gozi’s original source code (ISFB) was unintentionally leaked by one of its developers when the team was working on a major version upgrade they were going to name Gozi v2.

Original Gozi v2 variants started appearing in the wild towards the end of 2010, using new webinjection mechanisms that were developed to attack European and American banks. The leaked ISFB code was further repurposed to build the Vawtrak/Neverquest evolution of this malware. In 2012, an apparently proprietary version of Gozi was used in the widely publicized Prinimalka ordeal.

For the past five years, Gozi v2’s developers have been escalating its pervasive techniques and the methods it uses to inject social engineering into banks’ online pages. Current Gozi variants show consistent evidence that the project is very much alive, and it’s frequently modified for new capabilities and methods to circumvent security in the online service channels.

Learn more about Staying ahead of threats with global threat intelligence

Why Eastern Europe?

So what’s sparking cybercriminals’ rising interest in targeting Easter European countries? Financially motivated cybercriminals are most known for their broad-stroke attacks, where they can tailor their spam and wares to as large a population as possible at one time. Attacks in English speaking countries are therefore rampant both because of the common language, and also because their currency can be more attractive. So how come now malware like Tinba and Gozi turn in a less expected direction, targeting linguistic areas that only apply in one place, and where accounts are less likely to be replete with cash.

In cybercrime things are sometimes simpler than they seem: fraudsters always take the path of least resistance. If they have been tackling very advanced fraud protection measures in the U.S. and the U.K., they may very well be testing out their ability to rob bank accounts in territories that are perhaps less protected, or less experienced dealing with advanced malware.

Expanding Horizons?

According to IBM Security data, the configurations that come from the Gozi variation that plans to attack Bulgarian banks began showing up in early August 2015. It did not target Bulgaria up until that point.

A look into past attacks by the same Trojan shows that since the beginning of 2015, Gozi’s most intent focus remains the USA and the UK, but it began adding new target territories in March and July 2015.

According to historical configurations, Gozi’s operator may begin by adding one target bank from a new country it is aiming at, test it for a few months, and then expand the list considerably later down the line. For example, in Saudi Arabia Gozi used to only target one bank, then in July 2015 it expanded its Saudi-targeting list to 15 different targets. Will Gozi be applying the same method to Bulgaria? Only time will tell, but Gozi definitely has plans for Eastern Europe since it also added triggers for a small number of banks in Latvia in early July.

Gozi's Top Targeted Countries in 2015 (Source: IBM Security Data)
Figure 1: Gozi’s Top Targeted Countries in 2015 (Source: IBM Security)

Fighting Gozi

With IBM Security Trusteer solutions, financial organizations gain access to a real-time malware intelligence network that provides insight into fraudster techniques and capabilities, much like this malware’s expansion into new territories. This global threat intelligence serves as the foundation for IBM Security Trusteer automated threat protection capabilities, and is used by IBM Security experts to help develop and deliver new protections for organizations like yours.

At IBM, a research and development (R&D) team of security experts scrutinizes threat intelligence as it arrives from both Trusteer-protected endpoints, as well as underground cybercrime venues. IBM Security Trusteer solutions use this intelligence to deliver flexible protection layers that can be rapidly configured and updated by IBM R&D staff. As a result, as soon as new threats emerge or mutate, new countermeasures are automatically deployed back into Trusteer software without any intervention by bank security staff and without any noticeable impact to banking customers.

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.