One of most notable malware shifts of last year, according to the IBM X-Force Threat Intelligence Index 2018 report, involved the rise in Gozi (aka Ursnif) variants to the top of the most active financial malware list in 2017. Zeus variants had been the most active financial malware family in the wild for the last couple of years.
In the first quarter of 2018, Gozi was observed consuming an even larger piece of the financial malware pie, and that trend continues as we enter Q2. It has even added a new trick up its sleeve: distributing IcedID, a banking Trojan discovered by X-Force researchers in September 2017.
Gozi’s Slow and Steady Climb to the Top
The Gozi banking Trojan was first discovered in 2007 when it was operated by a closed group of developers and cybercriminals, but it has since evolved and proliferated. The malware’s code was leaked in 2010, which led to its reuse in subsequent Gozi operations. It was later adopted as the core code for several other Trojans, including Neverquest and GozNym.
Nearly a decade after is discovery, Gozi began increasing in prevalence, becoming the third- and then the second-most prevalent malware family globally. One catalyst for this rise was the abrupt decline of Neverquest activity in 2017. The Neverquest Trojan is from a cybercrime-as-a-service gang that had been part of the crimeware arena since 2013.
Another reason for Gozi’s increasing presence has to do with its widening geographical scope. The malware is performing massive infections worldwide, and X-Force researchers suspect it is being operated by different actors based on their code, behavioral deployment and target location. In 2017, for example, Gozi presented configurations targeting banks in Bulgaria, Poland, Spain and the Czech Republic, in addition to its established target regions in North America, Australia and Japan.
Full Steam Ahead in 2018
Taking a look at the financial crimeware arena for Q1 2018, we see that Gozi is still the top-ranked Trojan. It made up 28 percent of the activity, up 5 percent from the full year view for 2017. However, Zeus activity is also up 4 percent over last year. Relative activity volumes for other financial malware families, such as Dridex and Ramnit, have dropped noticeably — down 4 percent and 8 percent, respectively.
Figure 1: Most prevalent financial malware families, Q1 2018 (Source: IBM X-Force)
Interestingly, our incident response teams in North America have predominantly encountered QakBot (aka PinkSlip), the seventh-ranked financial malware family on the list above, and Emotet. In 2017, X-Force Incident Response and Intelligence Services (IRIS) responders observed a wave of QakBot-induced Active Directory (AD) lockouts across several incident response engagements. The Emotet malware was found distributing IcedID last year, among other banking Trojans. According to X-Force research, Emotet’s most prominent attack zone is the U.S. To a lesser extent, it also targets users in the U.K. and other parts of the world.
Financial Malware Outlook
Gozi’s continued dominance proves that cybercrime has moved on from commercial and fly-by-night malware operators and that organized, businesslike gangs are taking the lead in 2018.
Is there room for surprise? Always. Take IcedID, for example. Not too long after X-Force’s discovery last year, it appeared that the group operating IcedID had taken a step back and reduced its activity significantly. IcedID did not make the 2017 list of the most prevalent financial malware, but it did pop up in the 10th spot for Q1 2018 with 3 percent of the relative activity volume. A recent third-party report noted that the IcedID gang is cooperating with the capabilities of Gozi to distribute and load other malware, which X-Force has confirmed to be the case.
To learn how to minimize the risk associated with banking Trojans such as Gozi, refer to our malware mitigation tips. Financial institutions can also help protect their customers against these threats by adopting fraud protection solutions powered by cognitive analytics.