During a malware analysis on Gozi ISFB banking Trojan, we saw that this cybersecurity problem started using the elusive “Dark Cloud” botnet for distribution.
Gozi campaigns are relatively low in volume; they target specific companies.
The distribution and the C&C infrastructures are active for short periods of time.
Cybercriminals behind them also move to new domains and IP addresses fast.
The spam emails are having a Microsoft Word document attached.
If this file is opened, the files display a decoy image claiming that the document was created using Office 365 and that the user should “Enable Editing” and then “Enable Content” to view it. After enabling both, the macros are executed to download and run the malware.
To avoid sandbox detection, the VBA macro is executed when the document is closed.
The macro downloads an HTA file from a remote server.
The final payload is a banking Trojan based on the Gozi ISFB code base, but other malware families like CryptoShuffler, Sennoma, and SpyEye can also be delivered.
The malware loader has robust anti-virtualization options implemented and carries two versions of the same DLL, each targeting a different architecture.
Dark Cloud is used for distribution. This botnet uses fast-flux techniques to make the tracking of its backend infrastructure more difficult.
IP addresses associated with its infrastructure, are serving for a variety of cybercriminal activities, including carding forums, malware delivery and control, and spam.
To keep your data safe and secured it is always a good idea to implement a robust cybersecurity solution. If you are running Windows install an antivirus for Windows, if you are running macOS install an antivirus for Mac, if you are using an Android-based phone install an antivirus for Android, by connecting one of those three cybersecurity solutions you will be protected against all kind of cyber threats.