Gozi strikes again, targeting banks, cryptocurrency and more

/in


ttps://securityintelligence.com/posts/gozi-strikes-again-targeting-banks-cryptocurrency-and-more/”http://www.w3.org/TR/REC-html40/loose.dtd”>

In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest.

Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms, recognizing the lucrative nature of these sectors.

The history of Gozi

In 2006, a Russian developer named Nikita Kurmin created the first version of Gozi CRM. While developing the malware, Kurmin borrowed code from another spyware called Ursnif, also known as Snifula, developed by Alexey Ivanov around 2000. As a result, Gozi v1.0 featured a formgrabber module and was often classified as Ursnif/Snifula due to the shared codebase. With these capabilities, Gozi CRM quickly gained attention in the cybercriminal community.

In September 2010, a significant event occurred that would shape the future of Gozi. The source code of a specific Gozi CRM dynamic link library (DLL) version was leaked, exposing its inner workings to the wider world. This leak had far-reaching consequences, as it enabled the creation of new malware strains that leveraged Gozi’s codebase.

In June 2023, Mihai Ionut Paunescu, a Romanian hacker, was sentenced to three years in U.S. federal prison for his role in running a “bulletproof hosting” service called PowerHost[.]ro. This service aided cybercriminals in distributing various malware strains, including Gozi Virus, Zeus Trojan, SpyEye Trojan and BlackEnergy malware.

New Gozi campaigns aim high

Cryptocurrency companies are an attractive target, and the latest iteration of Gozi has brought new elements to its modus operandi. Notably, it is now spreading across Asia, broadening its reach beyond its previous target regions. 

A key weapon in Gozi’s arsenal is the use of web injects. These…

Source…