One of most notable malware shifts of last year, according to the IBM X-Force Threat Intelligence Index 2018 report, involved the rise in Gozi (aka Ursnif) variants to the top of the most active financial malware list in 2017. Zeus variants had been the most active financial malware family in the wild for the last couple of years.

In the first quarter of 2018, Gozi was observed consuming an even larger piece of the financial malware pie, and that trend continues as we enter Q2. It has even added a new trick up its sleeve: distributing IcedID, a banking Trojan discovered by X-Force researchers in September 2017.

Gozi’s Slow and Steady Climb to the Top

The Gozi banking Trojan was first discovered in 2007 when it was operated by a closed group of developers and cybercriminals, but it has since evolved and proliferated. The malware’s code was leaked in 2010, which led to its reuse in subsequent Gozi operations. It was later adopted as the core code for several other Trojans, including Neverquest and GozNym.

Nearly a decade after is discovery, Gozi began increasing in prevalence, becoming the third- and then the second-most prevalent malware family globally. One catalyst for this rise was the abrupt decline of Neverquest activity in 2017. The Neverquest Trojan is from a cybercrime-as-a-service gang that had been part of the crimeware arena since 2013.

Another reason for Gozi’s increasing presence has to do with its widening geographical scope. The malware is performing massive infections worldwide, and X-Force researchers suspect it is being operated by different actors based on their code, behavioral deployment and target location. In 2017, for example, Gozi presented configurations targeting banks in Bulgaria, Poland, Spain and the Czech Republic, in addition to its established target regions in North America, Australia and Japan.

Full Steam Ahead in 2018

Taking a look at the financial crimeware arena for Q1 2018, we see that Gozi is still the top-ranked Trojan. It made up 28 percent of the activity, up 5 percent from the full year view for 2017. However, Zeus activity is also up 4 percent over last year. Relative activity volumes for other financial malware families, such as Dridex and Ramnit, have dropped noticeably — down 4 percent and 8 percent, respectively.

Figure 1: Most prevalent financial malware families, Q1 2018 (Source: IBM X-Force)

Interestingly, our incident response teams in North America have predominantly encountered QakBot (aka PinkSlip), the seventh-ranked financial malware family on the list above, and Emotet. In 2017, X-Force Incident Response and Intelligence Services (IRIS) responders observed a wave of QakBot-induced Active Directory (AD) lockouts across several incident response engagements. The Emotet malware was found distributing IcedID last year, among other banking Trojans. According to X-Force research, Emotet’s most prominent attack zone is the U.S. To a lesser extent, it also targets users in the U.K. and other parts of the world.

Financial Malware Outlook

Gozi’s continued dominance proves that cybercrime has moved on from commercial and fly-by-night malware operators and that organized, businesslike gangs are taking the lead in 2018.

Is there room for surprise? Always. Take IcedID, for example. Not too long after X-Force’s discovery last year, it appeared that the group operating IcedID had taken a step back and reduced its activity significantly. IcedID did not make the 2017 list of the most prevalent financial malware, but it did pop up in the 10th spot for Q1 2018 with 3 percent of the relative activity volume. A recent third-party report noted that the IcedID gang is cooperating with the capabilities of Gozi to distribute and load other malware, which X-Force has confirmed to be the case.

To learn how to minimize the risk associated with banking Trojans such as Gozi, refer to our malware mitigation tips. Financial institutions can also help protect their customers against these threats by adopting fraud protection solutions powered by cognitive analytics.

Read Our Malware Mitigation Tips Now

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…