Banking trojan Gozi ISFB, the widely distributed Dark Cloud botnet well known to financial institutions, surfaced a few years ago but increasingly is being deployed in 2018, reports security research firm Talos reports.
After monitoring the malware distributor for the past six months, a Talos said in a blog post that Gozi ISFB remains active in 2018 leveraging a wider distribution surface in attack recent campaigns.
“We identified a significant amount of malicious activity making use of this same infrastructure, including Gozi ISFB distribution, Nymaim command and control, and a variety of different spam campaigns and scam activity,” the post explains. Gozi ISFB's source code has been integrated into such malware as GozNym.
Talos tracked in the fourth quarter of 2017 relatively low-volume Gozi ISFB campaigns targeting specific organizations exhibiting such unusual characteristics as not sending large amounts of spam messages containing Microsoft Word file attachments that function as malware downloaders.
The hackers instead choose to stay under the radar, while putting extra effort into the creation of convincing emails pretending to be part of an existing email thread, maximizing the possibility that the victim will open the attached files.
Talos engineers discovered that the attackers don't stay active for extended periods, making analysis of older campaigns and samples more difficult, and they quickly move onto new domains and IP addresses.