keithjjonesJul 25, 2023

My #Gozi banking malware detector for @zeek is almost ready. Just some more testing on real networks.

#opensource #cybersecurity #zeek

keithjjonesJul 22, 2023
I may have figured out a couple ways to detect #Gozi #malware with #zeek. Stay tuned.
ITSEC NewsJun 13, 2023
Gozi banking malware “IT chief” finally jailed after more than 10 years - Gozi threesome from way back in the late 2000s and early 2010s now all charged, convicted... https://nakedsecurity.sophos.com/2023/06/13/gozi-banking-malware-it-chief-finally-jailed-after-more-than-10-years/ #lawℴ #dataloss #paunescu #malware #bust #gozi #doj
Gozi banking malware “IT chief” finally jailed after more than 10 years

Gozi threesome from way back in the late 2000s and early 2010s now all charged, convicted and sentenced. The DOJ got there in the end…

Naked Security
EURACTIV ItaliaMar 8, 2023
Euractiv Italia ha intervistato Sandro #Gozi, parlamentare europeo di Renew Europe, segretario dello European Democratic Party, presidente dell’Unione Europea dei Federalisti, coordinatore del Gruppo Spinelli, che riunisce i parlamentari europei più federalisti. "Dobbiamo lavorare per mettere l’Unione Europea nelle condizioni di costruire una vera Unione della #difesa e dell’#energia. Questo si fa in buona parte anche attraverso una #revisione dei Trattati", ha detto… https://www.instagram.com/p/Cph547BIwmq/?utm_source=dlvr.it&utm_medium=mastodon
EURACTIV Italia on Instagram: "Euractiv Italia ha intervistato Sandro #Gozi, parlamentare europeo di Renew Europe, segretario dello European Democratic Party, presidente dell’Unione Europea dei Federalisti, coordinatore del Gruppo Spinelli, che riunisce i parlamentari europei più federalisti. "Dobbiamo lavorare per mettere l’Unione Europea nelle condizioni di costruire una vera Unione della #difesa e dell’#energia. Questo si fa in buona parte anche attraverso una #revisione dei Trattati", ha detto Gozi. Leggi l'intervista completa nel link in bio ☝️ ✍️ @castaldi_roberto 📸 Luca Gualco - EURACTIV Italia"

3 Likes, 0 Comments - EURACTIV Italia (@euractiv.it) on Instagram: "Euractiv Italia ha intervistato Sandro #Gozi, parlamentare europeo di Renew Europe, segretario de..."

Instagram
imlordoftheringsDec 2, 2022

Found in the wild! Allegedly Gozi malware stage 1.

Attack path:
phishing -> xlsx macro -> chechoa[.]com -> commandline calc.exe -s 6636702. -> Stage 2

https://bazaar.abuse.ch/sample/eef902138fc1ee637b41bbecd442a64b691b5b9aae15d2c822ac983ef93e4616/

https://www.virustotal.com/gui/file/eef902138fc1ee637b41bbecd442a64b691b5b9aae15d2c822ac983ef93e4616/detection/f-eef902138fc1ee637b41bbecd442a64b691b5b9aae15d2c822ac983ef93e4616-1669969590

#gozi #ursnif

MalwareBazaar | Checking your browser

Show threadGermán Fernández Nov 21, 2022

@th3_protoCOL

Current #payloads:

-ZipCosdaz.exe (#RedLine)
C2: 193.56.146.114:44271
Botnet: NewBuild

- ZipCosdaz1.exe (#Ursnif aka #Gozi)
C2 servers:
45.11.182.97
79.132.128.108
91.241.93.98
79.132.128.109
91.242.217.28
91.241.93.111
Botnet: 2503

- ConsoleDWS.exe (Destroy Windows 10 Spying)
GitHub repo: https://github.com/spinda/Destroy-Windows-10-Spying

+ And another download URL: archiverportal[.]space/porn.php

GitHub - spinda/Destroy-Windows-10-Spying: 🕵️ Known clean fork of Nummer/Destroy-Windows-10-Spying (retired)

🕵️ Known clean fork of Nummer/Destroy-Windows-10-Spying (retired) - GitHub - spinda/Destroy-Windows-10-Spying: 🕵️ Known clean fork of Nummer/Destroy-Windows-10-Spying (retired)

GitHub
ITSEC NewsJul 20, 2022
Last member of Gozi malware troika arrives in US for criminal trial - His co-conspirators went into and got out of prison years ago, while he remained free. No... https://nakedsecurity.sophos.com/2022/07/20/last-member-of-gozi-malware-troika-arrives-in-us-for-criminal-trial/ #bankingmalware #law&order #malware #spyeye #bust #gozi #zeus
Last member of Gozi malware troika arrives in US for criminal trial

His co-conspirators went into and got out of prison years ago, while he remained free. Now the tables have turned…

Naked Security
ITSEC NewsJun 30, 2021
Colombian police arrest Gozi malware suspect after 8 years at large - Safe at home, apparently, but not so safe overseas. https://nakedsecurity.sophos.com/2021/06/30/colombian-police-arrest-gozi-malware-suspect-after-8-years-at-large/ #law&order #malware #bust #gozi #doj
Colombian police arrest Gozi malware suspect after 8 years at large

Safe at home, apparently, but not so safe overseas.

Naked Security
CIRCL - Old accountApr 24, 2020

Malspam campaign sent from compromised email accounts, distributing #Gozi in Italy Spammed Excel (XLS) is completely undetected by AV

XLS:

https://bazaar.abuse.ch/sample/4b462d7cd8e4ba2d1da7332df73f99f89a4da71357fb855e9b9e8cc3949f40d6 …

EXE:

https://bazaar.abuse.ch/sample/d04ce36b2c6a5888bf4c413ed5a1c8d2e16af857957742059e7f4de74d36d854 …

Payload URL:

https://urlhaus.abuse.ch/url/350489/ pic.twitter.com/skuPg75WYS

MalwareBazaar | SHA256 4b462d7cd8e4ba2d1da7332df73f99f89a4da71357fb855e9b9e8cc3949f40d6 (Gozi)

Information on Gozi malware sample (SHA256 4b462d7cd8e4ba2d1da7332df73f99f89a4da71357fb855e9b9e8cc3949f40d6)

ITSEC NewsApr 17, 2020
Hackers Update Age-Old Excel 4.0 Macro Attack - XLS files sent via emails appear password protected but aren’t, opening automatically to install m... more: https://threatpost.com/hackers-update-age-old-excel-4-0-macro-attack/154898/ #microsoftoffice #velvetsweatshop #maliciousfiles #microsoftexcel #bankingtrojan #emailattacks #coronavirus #trustwave #covid-19 #malware #macros #hacks #excel #gozi #xls
Hackers Update Age-Old Excel 4.0 Macro Attack

XLS files sent via emails appear password protected but aren’t, opening automatically to install malware from compromised macros, according to researchers.

Threatpost - English - Global - threatpost.com