One of most notable malware shifts of last year, according to the IBM X-Force Threat Intelligence Index 2018 report, involved the rise in Gozi (aka Ursnif) variants to the top of the most active financial malware list in 2017. Zeus variants had been the most active financial malware family in the wild for the last couple of years.

In the first quarter of 2018, Gozi was observed consuming an even larger piece of the financial malware pie, and that trend continues as we enter Q2. It has even added a new trick up its sleeve: distributing IcedID, a banking Trojan discovered by X-Force researchers in September 2017.

Gozi’s Slow and Steady Climb to the Top

The Gozi banking Trojan was first discovered in 2007 when it was operated by a closed group of developers and cybercriminals, but it has since evolved and proliferated. The malware’s code was leaked in 2010, which led to its reuse in subsequent Gozi operations. It was later adopted as the core code for several other Trojans, including Neverquest and GozNym.

Nearly a decade after is discovery, Gozi began increasing in prevalence, becoming the third- and then the second-most prevalent malware family globally. One catalyst for this rise was the abrupt decline of Neverquest activity in 2017. The Neverquest Trojan is from a cybercrime-as-a-service gang that had been part of the crimeware arena since 2013.

Another reason for Gozi’s increasing presence has to do with its widening geographical scope. The malware is performing massive infections worldwide, and X-Force researchers suspect it is being operated by different actors based on their code, behavioral deployment and target location. In 2017, for example, Gozi presented configurations targeting banks in Bulgaria, Poland, Spain and the Czech Republic, in addition to its established target regions in North America, Australia and Japan.

Full Steam Ahead in 2018

Taking a look at the financial crimeware arena for Q1 2018, we see that Gozi is still the top-ranked Trojan. It made up 28 percent of the activity, up 5 percent from the full year view for 2017. However, Zeus activity is also up 4 percent over last year. Relative activity volumes for other financial malware families, such as Dridex and Ramnit, have dropped noticeably — down 4 percent and 8 percent, respectively.

Figure 1: Most prevalent financial malware families, Q1 2018 (Source: IBM X-Force)

Interestingly, our incident response teams in North America have predominantly encountered QakBot (aka PinkSlip), the seventh-ranked financial malware family on the list above, and Emotet. In 2017, X-Force Incident Response and Intelligence Services (IRIS) responders observed a wave of QakBot-induced Active Directory (AD) lockouts across several incident response engagements. The Emotet malware was found distributing IcedID last year, among other banking Trojans. According to X-Force research, Emotet’s most prominent attack zone is the U.S. To a lesser extent, it also targets users in the U.K. and other parts of the world.

Financial Malware Outlook

Gozi’s continued dominance proves that cybercrime has moved on from commercial and fly-by-night malware operators and that organized, businesslike gangs are taking the lead in 2018.

Is there room for surprise? Always. Take IcedID, for example. Not too long after X-Force’s discovery last year, it appeared that the group operating IcedID had taken a step back and reduced its activity significantly. IcedID did not make the 2017 list of the most prevalent financial malware, but it did pop up in the 10th spot for Q1 2018 with 3 percent of the relative activity volume. A recent third-party report noted that the IcedID gang is cooperating with the capabilities of Gozi to distribute and load other malware, which X-Force has confirmed to be the case.

To learn how to minimize the risk associated with banking Trojans such as Gozi, refer to our malware mitigation tips. Financial institutions can also help protect their customers against these threats by adopting fraud protection solutions powered by cognitive analytics.

Read Our Malware Mitigation Tips Now

More from Banking & Finance

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today