In what appears to be a trend, another banking Trojan is  ready to attack in Eastern Europe. This time it is the Gozi/ISFB Trojan, which just added 9 major banks in Bulgaria to its list of targets.

What’s New?

In early-August 2015, IBM Security X-Force researchers analyzed a new Gozi Trojan configuration file that is, according to our data, the first one dedicated to exclusively targeting Bulgarian banks. Previous versions of this malware attack in the US, UK, AU, as well as Saudi Arabia and the Persian Gulf, but this is a first for Bulgaria.

Our analysis reveals that Gozi’s developers have expanded the capabilities and reach of the malware by updating its web injections to match the Bulgarian banks they are targeting.

Bulgaria and Cybercrime

When it comes to cybercrime, rather than being a popular target, Bulgaria is more known for its locally-based perpetrators, making the headlines in cases of Internet fraud, payment card fraud, ATM fraud and the like. In a fraud update report released last year by the European ATM Security Team (EAST), Bulgaria was named as home to a “significant Bulgarian organized crime network suspected of a variety of crimes including large scale ATM skimming, electronic payment fraud and forgery of documents.”
As a victim of cybercrime, Bulgaria is not often on the attackers’ roster, and losses the country incurs as a result of cyber-borne threats are not widely documented. The most common issue banks suffer from in Bulgaria is accounts used as money mules to withdraw and launder funds that come from other countries. The most recent mention of banks in Bulgaria suffering cybercrime losses appeared when the Carbanak heist was uncovered, alongside a long list of other banks from all over the world.

Bulgaria’s Chief Directorate for Combating Organized Crime, Vasil Petkov, was quoted as saying, “Fortunately, cybercrime in Bulgaria is not world-class, perhaps because the cybercriminals do not see a big target here.” But the country still experiences some cybercrime and ransomware attacks, and its businesses are targeted for their corporate bank accounts.

With Gozi tuning up its configuration to begin attacking Bulgaria, are things starting to change? Earlier this year, in a meeting with the director of the FBI, the Bulgarian prime minister agreed that online crimes are a growing problem in the country. This may just be a sign that things are indeed heating up.

About Gozi

The Gozi Trojan, also known as ISFB and Ursnif, is one of the longest-standing banking Trojans in the wild today. It was first discovered in 2007, when it was operated by a closed group of malware developers and fraudsters for online banking wire fraud, mostly targeting English-speaking countries.

In September 2010, Gozi’s original source code (ISFB) was unintentionally leaked by one of its developers when the team was working on a major version upgrade they were going to name Gozi v2.

Original Gozi v2 variants started appearing in the wild towards the end of 2010, using new webinjection mechanisms that were developed to attack European and American banks. The leaked ISFB code was further repurposed to build the Vawtrak/Neverquest evolution of this malware. In 2012, an apparently proprietary version of Gozi was used in the widely publicized Prinimalka ordeal.

For the past five years, Gozi v2’s developers have been escalating its pervasive techniques and the methods it uses to inject social engineering into banks’ online pages. Current Gozi variants show consistent evidence that the project is very much alive, and it’s frequently modified for new capabilities and methods to circumvent security in the online service channels.

Learn more about Staying ahead of threats with global threat intelligence

Why Eastern Europe?

So what’s sparking cybercriminals’ rising interest in targeting Easter European countries? Financially motivated cybercriminals are most known for their broad-stroke attacks, where they can tailor their spam and wares to as large a population as possible at one time. Attacks in English speaking countries are therefore rampant both because of the common language, and also because their currency can be more attractive. So how come now malware like Tinba and Gozi turn in a less expected direction, targeting linguistic areas that only apply in one place, and where accounts are less likely to be replete with cash.

In cybercrime things are sometimes simpler than they seem: fraudsters always take the path of least resistance. If they have been tackling very advanced fraud protection measures in the U.S. and the U.K., they may very well be testing out their ability to rob bank accounts in territories that are perhaps less protected, or less experienced dealing with advanced malware.

Expanding Horizons?

According to IBM Security data, the configurations that come from the Gozi variation that plans to attack Bulgarian banks began showing up in early August 2015. It did not target Bulgaria up until that point.

A look into past attacks by the same Trojan shows that since the beginning of 2015, Gozi’s most intent focus remains the USA and the UK, but it began adding new target territories in March and July 2015.

According to historical configurations, Gozi’s operator may begin by adding one target bank from a new country it is aiming at, test it for a few months, and then expand the list considerably later down the line. For example, in Saudi Arabia Gozi used to only target one bank, then in July 2015 it expanded its Saudi-targeting list to 15 different targets. Will Gozi be applying the same method to Bulgaria? Only time will tell, but Gozi definitely has plans for Eastern Europe since it also added triggers for a small number of banks in Latvia in early July.

Figure 1: Gozi’s Top Targeted Countries in 2015 (Source: IBM Security)

Fighting Gozi

With IBM Security Trusteer solutions, financial organizations gain access to a real-time malware intelligence network that provides insight into fraudster techniques and capabilities, much like this malware’s expansion into new territories. This global threat intelligence serves as the foundation for IBM Security Trusteer automated threat protection capabilities, and is used by IBM Security experts to help develop and deliver new protections for organizations like yours.

At IBM, a research and development (R&D) team of security experts scrutinizes threat intelligence as it arrives from both Trusteer-protected endpoints, as well as underground cybercrime venues. IBM Security Trusteer solutions use this intelligence to deliver flexible protection layers that can be rapidly configured and updated by IBM R&D staff. As a result, as soon as new threats emerge or mutate, new countermeasures are automatically deployed back into Trusteer software without any intervention by bank security staff and without any noticeable impact to banking customers.

More from Threat Intelligence

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

An IBM Hacker Breaks Down High-Profile Attacks

5 min read - On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

5 min read