August 18, 2015 By Limor Kessem 4 min read

In what appears to be a trend, another banking Trojan is  ready to attack in Eastern Europe. This time it is the Gozi/ISFB Trojan, which just added 9 major banks in Bulgaria to its list of targets.

What’s New?

In early-August 2015, IBM Security X-Force researchers analyzed a new Gozi Trojan configuration file that is, according to our data, the first one dedicated to exclusively targeting Bulgarian banks. Previous versions of this malware attack in the US, UK, AU, as well as Saudi Arabia and the Persian Gulf, but this is a first for Bulgaria.

Our analysis reveals that Gozi’s developers have expanded the capabilities and reach of the malware by updating its web injections to match the Bulgarian banks they are targeting.

Bulgaria and Cybercrime

When it comes to cybercrime, rather than being a popular target, Bulgaria is more known for its locally-based perpetrators, making the headlines in cases of Internet fraud, payment card fraud, ATM fraud and the like. In a fraud update report released last year by the European ATM Security Team (EAST), Bulgaria was named as home to a “significant Bulgarian organized crime network suspected of a variety of crimes including large scale ATM skimming, electronic payment fraud and forgery of documents.”
As a victim of cybercrime, Bulgaria is not often on the attackers’ roster, and losses the country incurs as a result of cyber-borne threats are not widely documented. The most common issue banks suffer from in Bulgaria is accounts used as money mules to withdraw and launder funds that come from other countries. The most recent mention of banks in Bulgaria suffering cybercrime losses appeared when the Carbanak heist was uncovered, alongside a long list of other banks from all over the world.

Bulgaria’s Chief Directorate for Combating Organized Crime, Vasil Petkov, was quoted as saying, “Fortunately, cybercrime in Bulgaria is not world-class, perhaps because the cybercriminals do not see a big target here.” But the country still experiences some cybercrime and ransomware attacks, and its businesses are targeted for their corporate bank accounts.

With Gozi tuning up its configuration to begin attacking Bulgaria, are things starting to change? Earlier this year, in a meeting with the director of the FBI, the Bulgarian prime minister agreed that online crimes are a growing problem in the country. This may just be a sign that things are indeed heating up.

About Gozi

The Gozi Trojan, also known as ISFB and Ursnif, is one of the longest-standing banking Trojans in the wild today. It was first discovered in 2007, when it was operated by a closed group of malware developers and fraudsters for online banking wire fraud, mostly targeting English-speaking countries.

In September 2010, Gozi’s original source code (ISFB) was unintentionally leaked by one of its developers when the team was working on a major version upgrade they were going to name Gozi v2.

Original Gozi v2 variants started appearing in the wild towards the end of 2010, using new webinjection mechanisms that were developed to attack European and American banks. The leaked ISFB code was further repurposed to build the Vawtrak/Neverquest evolution of this malware. In 2012, an apparently proprietary version of Gozi was used in the widely publicized Prinimalka ordeal.

For the past five years, Gozi v2’s developers have been escalating its pervasive techniques and the methods it uses to inject social engineering into banks’ online pages. Current Gozi variants show consistent evidence that the project is very much alive, and it’s frequently modified for new capabilities and methods to circumvent security in the online service channels.

Learn more about Staying ahead of threats with global threat intelligence

Why Eastern Europe?

So what’s sparking cybercriminals’ rising interest in targeting Easter European countries? Financially motivated cybercriminals are most known for their broad-stroke attacks, where they can tailor their spam and wares to as large a population as possible at one time. Attacks in English speaking countries are therefore rampant both because of the common language, and also because their currency can be more attractive. So how come now malware like Tinba and Gozi turn in a less expected direction, targeting linguistic areas that only apply in one place, and where accounts are less likely to be replete with cash.

In cybercrime things are sometimes simpler than they seem: fraudsters always take the path of least resistance. If they have been tackling very advanced fraud protection measures in the U.S. and the U.K., they may very well be testing out their ability to rob bank accounts in territories that are perhaps less protected, or less experienced dealing with advanced malware.

Expanding Horizons?

According to IBM Security data, the configurations that come from the Gozi variation that plans to attack Bulgarian banks began showing up in early August 2015. It did not target Bulgaria up until that point.

A look into past attacks by the same Trojan shows that since the beginning of 2015, Gozi’s most intent focus remains the USA and the UK, but it began adding new target territories in March and July 2015.

According to historical configurations, Gozi’s operator may begin by adding one target bank from a new country it is aiming at, test it for a few months, and then expand the list considerably later down the line. For example, in Saudi Arabia Gozi used to only target one bank, then in July 2015 it expanded its Saudi-targeting list to 15 different targets. Will Gozi be applying the same method to Bulgaria? Only time will tell, but Gozi definitely has plans for Eastern Europe since it also added triggers for a small number of banks in Latvia in early July.


Figure 1: Gozi’s Top Targeted Countries in 2015 (Source: IBM Security)

Fighting Gozi

With IBM Security Trusteer solutions, financial organizations gain access to a real-time malware intelligence network that provides insight into fraudster techniques and capabilities, much like this malware’s expansion into new territories. This global threat intelligence serves as the foundation for IBM Security Trusteer automated threat protection capabilities, and is used by IBM Security experts to help develop and deliver new protections for organizations like yours.

At IBM, a research and development (R&D) team of security experts scrutinizes threat intelligence as it arrives from both Trusteer-protected endpoints, as well as underground cybercrime venues. IBM Security Trusteer solutions use this intelligence to deliver flexible protection layers that can be rapidly configured and updated by IBM R&D staff. As a result, as soon as new threats emerge or mutate, new countermeasures are automatically deployed back into Trusteer software without any intervention by bank security staff and without any noticeable impact to banking customers.

More from Threat Intelligence

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Threat intelligence to protect vulnerable communities

2 min read - Key members of civil society—including journalists, political activists and human rights advocates—have long been in the cyber crosshairs of well-resourced nation-state threat actors but have scarce resources to protect themselves from cyber threats. On May 14, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a High-Risk Communities Protection (HRCP) report developed through the Joint Cyber Defense Collaborative that addresses the threat to these vulnerable groups, with findings contributed by the X-Force Threat Intelligence team.Cyber criminals seek stolen credentialsThe HRCP…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today