One of most notable malware shifts of last year, according to the IBM X-Force Threat Intelligence Index 2018 report, involved the rise in Gozi (aka Ursnif) variants to the top of the most active financial malware list in 2017. Zeus variants had been the most active financial malware family in the wild for the last couple of years.

In the first quarter of 2018, Gozi was observed consuming an even larger piece of the financial malware pie, and that trend continues as we enter Q2. It has even added a new trick up its sleeve: distributing IcedID, a banking Trojan discovered by X-Force researchers in September 2017.

Gozi’s Slow and Steady Climb to the Top

The Gozi banking Trojan was first discovered in 2007 when it was operated by a closed group of developers and cybercriminals, but it has since evolved and proliferated. The malware’s code was leaked in 2010, which led to its reuse in subsequent Gozi operations. It was later adopted as the core code for several other Trojans, including Neverquest and GozNym.

Nearly a decade after is discovery, Gozi began increasing in prevalence, becoming the third- and then the second-most prevalent malware family globally. One catalyst for this rise was the abrupt decline of Neverquest activity in 2017. The Neverquest Trojan is from a cybercrime-as-a-service gang that had been part of the crimeware arena since 2013.

Another reason for Gozi’s increasing presence has to do with its widening geographical scope. The malware is performing massive infections worldwide, and X-Force researchers suspect it is being operated by different actors based on their code, behavioral deployment and target location. In 2017, for example, Gozi presented configurations targeting banks in Bulgaria, Poland, Spain and the Czech Republic, in addition to its established target regions in North America, Australia and Japan.

Full Steam Ahead in 2018

Taking a look at the financial crimeware arena for Q1 2018, we see that Gozi is still the top-ranked Trojan. It made up 28 percent of the activity, up 5 percent from the full year view for 2017. However, Zeus activity is also up 4 percent over last year. Relative activity volumes for other financial malware families, such as Dridex and Ramnit, have dropped noticeably — down 4 percent and 8 percent, respectively.

Figure 1: Most prevalent financial malware families, Q1 2018 (Source: IBM X-Force)

Interestingly, our incident response teams in North America have predominantly encountered QakBot (aka PinkSlip), the seventh-ranked financial malware family on the list above, and Emotet. In 2017, X-Force Incident Response and Intelligence Services (IRIS) responders observed a wave of QakBot-induced Active Directory (AD) lockouts across several incident response engagements. The Emotet malware was found distributing IcedID last year, among other banking Trojans. According to X-Force research, Emotet’s most prominent attack zone is the U.S. To a lesser extent, it also targets users in the U.K. and other parts of the world.

Financial Malware Outlook

Gozi’s continued dominance proves that cybercrime has moved on from commercial and fly-by-night malware operators and that organized, businesslike gangs are taking the lead in 2018.

Is there room for surprise? Always. Take IcedID, for example. Not too long after X-Force’s discovery last year, it appeared that the group operating IcedID had taken a step back and reduced its activity significantly. IcedID did not make the 2017 list of the most prevalent financial malware, but it did pop up in the 10th spot for Q1 2018 with 3 percent of the relative activity volume. A recent third-party report noted that the IcedID gang is cooperating with the capabilities of Gozi to distribute and load other malware, which X-Force has confirmed to be the case.

To learn how to minimize the risk associated with banking Trojans such as Gozi, refer to our malware mitigation tips. Financial institutions can also help protect their customers against these threats by adopting fraud protection solutions powered by cognitive analytics.

Read Our Malware Mitigation Tips Now

More from Banking & Finance

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…

SEC Proposes New Cybersecurity Rules for Financial Services

Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity. On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9.  The Importance of Cybersecurity in Finance The 2021 X-Force Threat Index found that financial services were the most targeted industry. Manufacturing beat out…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…