November 25, 2022 HAWKEYE

Ursnif/Gozi Malware Evolution and Associated IoC

Gozi is a powerful piece of malware with a wide range of intricate characteristics. It began as a basic banking Trojan, even more, basic in some ways than the original Zeus due to the notable absence of web injection features.


It should come as no surprise that URSNIF (also known as Gozi or Gozi/ISFB), which is occasionally entangled with other malware families and variants, has a long and eventful history given that it is one of the oldest banking malware families still active today. Since the first major version debuted in 2016, its source code has been leaked at least twice, leading to further variations, several of which are still in use today (e.g., IAP). Numerous URSNIF variations based on ISFB have been spotted in the wild recently, including Dreambot, IAP, RM2, RM3, and LDR4. In this article, We shall step-by-step dissect the evolution of Gozi and the associated IOCs.

Evolution of Gozi:

Gozi is a powerful piece of malware with a wide range of intricate characteristics. It began as a basic banking Trojan, even more, basic in some ways than the original Zeus due to the notable absence of web injection features. Gozi went unnoticed for its first year of operation; it wasn’t until a 2007 SecureWorks expose, which included a breakdown of the malware’s internal structure and the nature of the underlying financial operation, that this strain of malware came to the public’s attention. Similar to Emotet, Gozi developed into a multi-module, multi-purpose malicious platform, and as of 2020, many of the contemporary variants of Kuzmin’s original work are still actively being used in malicious campaigns.

2010 Leak:

After its 2007 public release, Gozi remained a typical malicious campaign for three more years, with a single codebase limited to a small, exclusive group of cyber criminals. Then, in 2010, the sources for this initial Gozi version—then known as Gozi CRM—leaked. Gozi Prinimalka and Gozi “ISFB,” were the two new versions developed by other actors using the leaked code. Even just these early mutations made it difficult for the industry to monitor Gozi. ISFB was referred to as “Gozi2” by one vendor, and “Ursnif,” or “Snifula,” by others. As a result of a packer that was frequently used to conceal the virus’s binaries, a number of other vendors began calling the malware “Rovnix.”

2015 Leak:

A few years later, the ISFB source code was leaked. Although sources disagree on the exact timing, the majority of the evidence dates this second leak to 2015. One of the resulting branches later merged with Nymaim and became the basic code for GozNym, the hybrid malware strain created by the union of the two malware families. Another branch eventually evolved into Dreambot, which modified the check-in format of ISFB and supported C&C communication over the TOR network. Dreambot mainly relied on the code from the original 2010 CRM breach.

Some actors believed that the market was ready for a new major version once second-wave Gozi had been present for long enough. As a result, Goziv3 (RM3 loader), ISFB3, and Gozi2RM3 were created (IAP 2.0). Each of them made modifications to the malware’s C&C communication protocol, control flow, and obfuscation technique. These “third-wave Gozi” campaigns were particularly distinguished by the addition of novelties including signed binaries, HTTPS connectivity, and a tiered, two-stage client registration process.

Variants of Gozi/Urnsif:

  • Dreambot:
    It wasn’t long after the ISFB breach that this particular branch of the leaked ISFB sources was discovered. It continued to be actively developed for a long time and incorporated numerous new features. It was reliant on C2 check-ins replicating GET requests for images, a tactic that rapidly lost usefulness once it was discovered, and it was outclassed by third-wave Gozi’s sophisticated stealth operation best practices. After a lengthy and successful run, Dreambot came to an end in March 2020.

    • -> IOCs:
      • 52cb2bd9724270b3efe575894112d0a866734856a3257ddcfb24308e42861f6a
      • f2556099982b2b1ebea7443c863b8b205b6683112624f46393454e430e69aed5
  • Goziat:
    This Gozi variant seems to have made its debut several years after the ISFB leak. Its C&C check-in peculiarity, which can be modified during the malware’s creation process, uses a different resource directory in place of “images” and makes it stand apart from other variants. Goziat abandons the Dreambot-popularized “image file extensions as encoded requests” technique since it does not try to pretend that its check-in is a valid request for an image.

    • -> IOCs:
      • cb4f92bf9fef3708e7aeba5d8994a0502952d06374c8a83ff2c1ee0b7e603d35
      • c486d8579308999b7d9f8cbb6de33b7a3976b9db5b98c06b7744adf5d5d11caf
  • Goziv2:
    The campaign infrastructure level of Gozi2RM3 and earlier-generation Gozi executes a thorough vetting procedure, which is the most noticeable distinction between the two. Although these variations in infrastructure are the most significant ones, there are some functional variations as well.

    • -> IOCs:
      • c2ee9cf24f0bddb07914503dbae35c4497d66f9ca01ea65108ef40ff13cbec02
      • 81734690442c224cf104fba0db8bacabdf3dc347bba3da3415a92de587df6d82
  • Goziv3:
    Since at least the summer of 2017, this variety has been spotted in wild. Most of the ISFB code is still present, but there are also many new components. This variant’s attackers are fairly skilled and make an effort to remain undetected while primarily targeting the USA, Australia, and Italy.

    • -> IOCs:
      • 41e52cec2091e4451beadad93c5f693d5a008cf56eaf160f9fa4d577b1d707f6
      • a353dfb1b5eb69808244356cf9a784181c53eea2cb3f254749fa19c307c30cfc
  • ISFB3:
    During the years 2018–2019, this version was only very briefly and precisely used against Japanese targets. It has been assumed that it is connected to threat actor TA544 because of a similarity in its distribution technique.

    • -> IOCs:
      • cacc1c3af8ad58b992c707bdf36ec1bd5f039dd80780ad2978cb142ccfe714d6
      • 8d7ffebb0774e0dfe9d85f175cd5e1800dfd757bb5fbc4565a8f8a173e739ea5
  • LDR4:
    This URSNIF malware variant was originally discovered in June 2022. As opposed to earlier versions of URSNIF, this new variant, called LDR4, is a generic backdoor (similar to the short-lived SAIGON variant), which may have been created specifically to support activities like ransomware and data theft extortion.

    • -> IOCs:
      • 360417f75090c962adb8021dbb478f67
      • 58169007c2e7a0d022bc383f9b9476fe
, , , , ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.