In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest.
Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms, recognizing the lucrative nature of these sectors.
The history of Gozi
In 2006, a Russian developer named Nikita Kurmin created the first version of Gozi CRM. While developing the malware, Kurmin borrowed code from another spyware called Ursnif, also known as Snifula, developed by Alexey Ivanov around 2000. As a result, Gozi v1.0 featured a formgrabber module and was often classified as Ursnif/Snifula due to the shared codebase. With these capabilities, Gozi CRM quickly gained attention in the cybercriminal community.
In September 2010, a significant event occurred that would shape the future of Gozi. The source code of a specific Gozi CRM dynamic link library (DLL) version was leaked, exposing its inner workings to the wider world. This leak had far-reaching consequences, as it enabled the creation of new malware strains that leveraged Gozi’s codebase.
In June 2023, Mihai Ionut Paunescu, a Romanian hacker, was sentenced to three years in U.S. federal prison for his role in running a “bulletproof hosting” service called PowerHost[.]ro. This service aided cybercriminals in distributing various malware strains, including Gozi Virus, Zeus Trojan, SpyEye Trojan and BlackEnergy malware.
New Gozi campaigns aim high
Cryptocurrency companies are an attractive target, and the latest iteration of Gozi has brought new elements to its modus operandi. Notably, it is now spreading across Asia, broadening its reach beyond its previous target regions.
A key weapon in Gozi’s arsenal is the use of web injects. These malicious code injections are designed to modify the content of legitimate websites, making them appear genuine to unsuspecting users. By mimicking legitimate login pages or transaction forms, Gozi tricks users into entering their credentials and financial information, unknowingly providing them directly to the attackers.
Figure 1 — Targeted list from Gozi configuration
We covered Gozi’s recent campaign targeted at Italian banks in this report.
Figure 2 — Gozi attacker asking the victim to generate a security code from a mobile application
Additionally, Gozi has targeted various companies associated with cryptocurrency, such as cryptocurrency exchanges, wallets and blockchain service providers, aiming to exploit the lucrative nature of the digital currency industry. These developments mark a significant expansion in the geographical and sectoral scope of Gozi’s cyberattacks.
Asia has been a significant hub for cryptocurrency trading and exchanges. The cryptocurrency exchange platforms based there may be attractive targets due to the potential for financial gain and the high value of digital assets.
Gozi malware can target the login credentials of cryptocurrency exchange platforms. By stealing usernames, passwords and two-factor authentication codes, cybercriminals can gain unauthorized access to user accounts, facilitating unauthorized trading or funds withdrawal.
How to avoid Gozi malware
Here are some recommendations to avoid Gozi malware and protect yourself from similar threats:
- Be wary of email links. Exercise caution when opening email attachments or clicking on links, especially if they come from unknown or suspicious sources. Be particularly vigilant for phishing emails that may attempt to trick you into downloading malware.
- Increase your password security. Create strong and unique passwords for all your online accounts, including cryptocurrency exchanges and wallets. Avoid using easily guessable information and consider using a reliable password manager to securely store and manage your passwords.
- Remain vigilant online. Pay attention to any unusual behavior or unexpected requests when accessing websites, especially financial or cryptocurrency-related platforms. If you encounter unexpected pop-ups, requests for additional personal information, or changes in website appearance, it could be a sign of a web inject attempting to deceive you.
- Stay informed about the latest cybersecurity threats and best practices. Familiarize yourself with common techniques used by cybercriminals, such as phishing scams and social engineering, to avoid falling victim to their tactics.
One of the best tools to detect Gozi malware and protect your organization is IBM Security Trusteer Pinpoint Detect. The tool uses artificial intelligence and machine learning to protect digital channels against account takeover and fraudulent transactions and detect user devices infected with high-risk malware. Learn more here.
Indicators of compromise
C&C
hxxps://gestorbancasrl.com
hxxps://gestorbancosrl.com
hxxps://avas1ta.com/in
hxxps://avas1t.de/in
hxxps://njamma.com
hxxps://itgjmfgdzxcv.com
MD5
471d596dad7ca027a44b21f3c3a2a0d9
Security Web Researcher in Security Intelligence