Blog
‍

Inside the SOC

Gozi ISFB Malware Detection Insights and Analysis | Darktrace

Apr 2023

Learn how Darktrace detected the Gozi ISFB malware, a type of banking trojan, with Self-Learning AI. Stay informed about the latest cybersecurity threats.

Mirroring the overall growth of the cybersecurity landscape and the advancement of security tool capabilities, threat actors are continuously forced to keep pace. Today, threat actors are bringing novel malware into the wild, creating new attack vectors, and finding ways to avoid the detection of security tools.

One notable example of a constantly adapting type of malware can be seen with banking trojans, a type of malware designed to steal confidential information, such as banking credentials, used by attackers for financial gain. Gozi-ISFB is a widespread banking trojan that has previously been referred to as ‘the malware with a thousand faces’ and, as it name might suggest, has been known under various names such as Gozi, Ursnif, Papras and Rovnix to list a few.

Between November 2022 and January 2023, a rise in Gozi-ISFB malware related activity was observed across Darktrace customer environments and was investigated by the Darktrace Threat Research team. Leveraging its Self-Learning AI, Darktrace was able to identify activity related to this banking trojan, regardless of the attack vectors or delivery methods utilized by threat actors.

We have moderate to high confidence that the series of activities observed is associated with Gozi-ISFB malware and high confidence in the indicators of compromise identified which are related to the post-compromise activities from Gozi-ISFB malware.

Gozi-ISFB Background

The Gozi-ISFB malware was first observed in 2011, stemming from the source code of another family of malware, Gozi v1, which in turn borrowed source code from the Ursnif malware strain.

Typically, the initial access payloads of Gozi-ISFB would require an endpoint to enable a macro on their device, subsequently allowing a pre-compiled executable file (.exe) to be gathered from an attacker-controlled server, and later executed on the target device.

However, researchers have recently observed Gozi-ISFB actors using additional and more advanced capabilities to gain access to organizations networks. These capabilities range from credential harvest, surveilling user keystrokes, diverting browser traffic from banking websites, remote desktop access, and the use of domain generation algorithms (DGA) to create command-and-control (C2) domains to avoid the detection and blocking of traditional security tools.

Ultimately, the goal of Gozi-ISFB malware is to gather confidential information from infected devices by connecting to C2 servers and installing additional malware modules on the network.

Darktrace Coverage of Gozi-ISFB

Unlike traditional security approaches, Darktrace DETECT/Network™ can identify malicious activity because Darktrace models build an understanding of a device’s usual pattern of behavior, rather than using a static list of indicators of compromise (IoCs) or rules and signatures. As such, Darktrace is able to instantly detect compromised devices that deviate from their expected behavioral patterns, engaging in activity such as unusual SMB connections or connecting to newly created malicious endpoints or C2 infrastructure. In the event that Darktrace detects malicious activity, it would automatically trigger an alert, notifying the customer of an ongoing security concern.

Regarding the Gozi-ISFB attack process, initial attack vectors commonly include targeted phishing campaigns, where the recipient would receive an email with an attached Microsoft Office document containing macros or a Zip archive file. Darktrace frequently observes malicious emails like this across the customer base and is able to autonomously detect and action them using Darktrace/Email™. In the following cases, the clients who had Darktrace/Email did not have evidence of compromise through their corporate email infrastructure, suggesting devices were likely compromised via the access of personal email accounts. In other cases, the customers did not have Darktrace/Email enabled on their networks.

Upon downloading and opening the malicious attachment included in the phishing email, the payload subsequently downloads an additional .exe or dynamic link library (DLL) onto the device. Following this download, the malware will ultimately begin to collect sensitive data from the infected device, before exfiltrating it to the C2 server associated with Gozi-ISFB. Darktrace was able to demonstrate and detect the retrieval of Gozi-ISFB malware, as well as subsequent malicious communication on multiple customer environments.

In some attack chains observed, the infected device made SMB connections to the rare external endpoint ’62.173.138[.]28’ via port 445. Darktrace recognized that the device used unusual credentials for this destination endpoint and further identified it performing SMB reads on the share ‘\\62.173.138[.]28\Agenzia’. Darktrace also observed that the device downloaded the executable file ‘entrat.exe’ from this connection as can be seen in Figure 1.

Figure 1: Model breach event log showing an infected device making SMB read actions on the share ‘\\62.173.138[.]28\Agenzia’. Darktrace observed the device downloading the executable file ‘entrat.exe’ from this connection.

Subsequently, the device performed a separate SMB login to the same external endpoint using a credential identical to the device's name. Shortly after, the device performed a SMB directory query from the root share drive for the file path to the same endpoint.

*Figure 2:SMB directory query from the root share drive for the file path to the same endpoint, ’62.173.138[.]28’.*

In Gozi-ISFB compromises investigated by the Threat Research team, Darktrace commonly observed model breaches for ‘Multiple HTTP POSTs to Rare Hostname’ and the use of the Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)’ user agent.

Devices were additionally observed making external connections over port 80 (TCP, HTTP) to endpoints associated with Gozi-ISFB. Regarding these connections, C2 communication was observed used configurations of URI path and resource file extension that claimed to be related to images within connections that were actually GET or POST request URIs. This is a commonly used tactic by threat actors to go under the radar and evade the detection of security teams.

An example of this type of masqueraded URI can be seen below:

In another similar example investigated by the Threat Research team, Darktrace detected similar external connectivity associated with Gozi-ISFB malware. In this case, DETECT identified external connections to two separate hostnames, namely ‘gameindikdowd[.]ru’ and ‘jhgfdlkjhaoiu[.]su’, both of which have been associated to Gozi-ISFB by OSINT sources. This specific detection included HTTP beaconing connections to endpoint, gameindikdowd[.]ru .

Details observed from this event:

Destination IP: 134.0.118[.]203

Destination port: 80

ASN: AS197695 Domain names registrar REG.RU, Ltd

User agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64

The same device later made anomalous HTTP POST requests to a known Gozi-ISFB endpoint, jhgfdlkjhaoiu[.]su.

Details observed:

Destination port: 80

ASN: AS197695 Domain names registrar REG.RU, Ltd

User agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64

*Figure 3: Packet Capture (PCAP) with the device conducting anomalous HTTP POST requests to a Gozi-ISFB related IOC, ‘jhgfdlkjhaoiu[.]su’.*

Conclusions

With constantly changing attack infrastructure and new methods of exploitation tested and leveraged hour upon hour, it is critical for security teams to employ tools that help them stay ahead of the curve to avoid critical damage from compromise.

Faced with a notoriously adaptive malware strain like Gozi-ISFB, Darktrace demonstrated its ability to autonomously detect malicious activity based upon more than just known IoCs and attack vectors. Despite the multitude of different attack vectors utilized by threat actors, Darktrace was able to detect Gozi-ISFB activity at various stages of the kill chain using its anomaly-based detection to identify unusual activity or deviations from normal patterns of life. Using its Self-Learning AI, Darktrace successfully identified infected devices and brought them to the immediate attention of customer security teams, ultimately preventing infections from leading to further compromise.

The Darktrace suite of products, including DETECT/Network, is uniquely placed to offer customers an unrivaled level of network security that can autonomously identify and respond to arising threats against their networks in real time, preventing suspicious activity from leading to damaging network compromises.

Credit to: Paul Jennings, Principal Analyst Consultant and the Threat Research Team

Appendices

List of IOCs

134.0.118[.]203 - IP Address - Gozi-ISFB C2 Endpoint

62.173.138[.]28 - IP Address - Gozi-ISFB C2 Endpoint

45.130.147[.]89 - IP Address - Gozi-ISFB C2 Endpoint

94.198.54[.]97 - IP Address - Gozi-ISFB C2 Endpoint

91.241.93[.]111 - IP Address - Gozi-ISFB C2 Endpoint

89.108.76[.]56 - IP Address - Gozi-ISFB C2 Endpoint

87.106.18[.]141 - IP Address - Gozi-ISFB C2 Endpoint

35.205.61[.]67 - IP Address - Gozi-ISFB C2 Endpoint

91.241.93[.]98 - IP Address - Gozi-ISFB C2 Endpoint

62.173.147[.]64 - IP Address - Gozi-ISFB C2 Endpoint

146.70.113[.]161 - IP Address - Gozi-ISFB C2 Endpoint

iujdhsndjfks[.]ru - Hostname - Gozi-ISFB C2 Hostname

reggy505[.]ru - Hostname - Gozi-ISFB C2 Hostname

apr[.]intoolkom[.]at - Hostname - Gozi-ISFB C2 Hostname

jhgfdlkjhaoiu[.]su - Hostname - Gozi-ISFB C2 Hostname

gameindikdowd[.]ru - Hostname - Gozi-ISFB Hostname

chnkdgpopupser[.]at - Hostname – Gozi-ISFB C2 Hostname

denterdrigx[.]com - Hostname – Gozi-ISFB C2 Hostname

entrat.exe - Filename – Gozi-ISFB Related Filename

Darktrace Model Coverage

Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

Anomalous Connection / Posting HTTP to IP Without Hostname

Anomalous Connection / New User Agent to IP Without Hostname

Compromise / Agent Beacon (Medium Period)

Anomalous File / Application File Read from Rare Endpoint

Device / Suspicious Domain

Mitre Attack and Mapping

‍Tactic: Application Layer Protocol: Web Protocols

Technique: T1071.001

‍

Tactic: Drive-by Compromise

Technique: T1189

‍

Tactic: Phishing: Spearphishing Link

Technique: T1566.002

Model Detection

Anomalous Connection / Multiple HTTP POSTs to Rare Hostname - T1071.001

Anomalous Connection / Posting HTTP to IP Without Hostname - T1071.001

Anomalous Connection / New User Agent to IP Without Hostname - T1071.001

Compromise / Agent Beacon (Medium Period) - T1071.001

Anomalous File / Application File Read from Rare Endpoint - N/A

Device / Suspicious Domain - T1189, T1566.002

References

https://threatfox.abuse.ch/browse/malware/win.isfb/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-216a

https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy#:~:text=Ursnif%20(also%20known%20as%20Gozi,Italy%20over%20the%20past%20year

https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef

INSIDE THE SOC

Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.

AUTHOR

ABOUT ThE AUTHOR

Justin Torres

Cyber Analyst

Watch the NIS2 Webinar

share this article

More in this series

No items found.

Blog
‍

Thought Leadership

The State of AI in Cybersecurity: Understanding AI Technologies

Jul 2024

About the State of AI Cybersecurity Report

Darktrace surveyed 1,800 CISOs, security leaders, administrators, and practitioners from industries around the globe. Our research was conducted to understand how the adoption of new AI-powered offensive and defensive cybersecurity technologies are being managed by organizations.

This blog continues the conversation from “The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners”. This blog will focus on security professionals’ understanding of AI technologies in cybersecurity tools.

To access download the full report, click here.

How familiar are security professionals with supervised machine learning

Just 31% of security professionals report that they are “very familiar” with supervised machine learning.

Many participants admitted unfamiliarity with various AI types. Less than one-third felt "very familiar" with the technologies surveyed: only 31% with supervised machine learning and 28% with natural language processing (NLP).

Most participants were "somewhat" familiar, ranging from 46% for supervised machine learning to 36% for generative adversarial networks (GANs). Executives and those in larger organizations reported the highest familiarity.

Combining "very" and "somewhat" familiar responses, 77% had familiarity with supervised machine learning, 74% generative AI, and 73% NLP. With generative AI getting so much media attention, and NLP being the broader area of AI that encompasses generative AI, these results may indicate that stakeholders are understanding the topic on the basis of buzz, not hands-on work with the technologies.

If defenders hope to get ahead of attackers, they will need to go beyond supervised learning algorithms trained on known attack patterns and generative AI. Instead, they’ll need to adopt a comprehensive toolkit comprised of multiple, varied AI approaches—including unsupervised algorithms that continuously learn from an organization’s specific data rather than relying on big data generalizations.

Different types of AI

Different types of AI have different strengths and use cases in cyber security. It’s important to choose the right technique for what you’re trying to achieve.

Supervised machine learning: Applied more often than any other type of AI in cyber security. Trained on human attack patterns and historical threat intelligence.

Large language models (LLMs): Applies deep learning models trained on extremely large data sets to understand, summarize, and generate new content. Used in generative AI tools.

Natural language processing (NLP): Applies computational techniques to process and understand human language.

Unsupervised machine learning: Continuously learns from raw, unstructured data to identify deviations that represent true anomalies.

What impact will generative AI have on the cybersecurity field?

More than half of security professionals (57%) believe that generative AI will have a bigger impact on their field over the next few years than other types of AI.

Chart showing the types of AI expected to impact security the most — Figure 1: Chart from Darktrace's State of AI in Cybersecurity Report

Security stakeholders are highly aware of generative AI and LLMs, viewing them as pivotal to the field's future. Generative AI excels at abstracting information, automating tasks, and facilitating human-computer interaction. However, LLMs can "hallucinate" due to training data errors and are vulnerable to prompt injection attacks. Despite improvements in securing LLMs, the best cyber defenses use a mix of AI types for enhanced accuracy and capability.

AI education is crucial as industry expectations for generative AI grow. Leaders and practitioners need to understand where and how to use AI while managing risks. As they learn more, there will be a shift from generative AI to broader AI applications.

Do security professionals fully understand the different types of AI in security products?

Only 26% of security professionals report a full understanding of the different types of AI in use within security products.

Confusion is prevalent in today’s marketplace. Our survey found that only 26% of respondents fully understand the AI types in their security stack, while 31% are unsure or confused by vendor claims. Nearly 65% believe generative AI is mainly used in cybersecurity, though it’s only useful for identifying phishing emails. This highlights a gap between user expectations and vendor delivery, with too much focus on generative AI.

Key findings include:

Executives and managers report higher understanding than practitioners.

Larger organizations have better understanding due to greater specialization.

As AI evolves, vendors are rapidly introducing new solutions faster than practitioners can learn to use them. There's a strong need for greater vendor transparency and more education for users to maximize the technology's value.

To help ease confusion around AI technologies in cybersecurity, Darktrace has released the CISO’s Guide to Cyber AI. A comprehensive white paper that categorizes the different applications of AI in cybersecurity. Download the White Paper here.

Do security professionals believe generative AI alone is enough to stop zero-day threats?

No! 86% of survey participants believe generative AI alone is NOT enough to stop zero-day threats

This consensus spans all geographies, organization sizes, and roles, though executives are slightly less likely to agree. Asia-Pacific participants agree more, while U.S. participants agree less.

Despite expecting generative AI to have the most impact, respondents recognize its limited security use cases and its need to work alongside other AI types. This highlights the necessity for vendor transparency and varied AI approaches for effective security across threat prevention, detection, and response.

Stakeholders must understand how AI solutions work to ensure they offer advanced, rather than outdated, threat detection methods. The survey shows awareness that old methods are insufficient.

To access the full report, click here.

About the author

The Darktrace Community

Blog
‍

Inside the SOC

Jupyter Ascending: Darktrace’s Investigation of the Adaptive Jupyter Information Stealer

Jul 2024

What is Malware as a Service (MaaS)?

Malware as a Service (MaaS) is a model where cybercriminals develop and sell or lease malware to other attackers.

This approach allows individuals or groups with limited technical skills to launch sophisticated cyberattacks by purchasing or renting malware tools and services. MaaS is often provided through online marketplaces on the dark web, where sellers offer various types of malware, including ransomware, spyware, and trojans, along with support services such as updates and customer support.

The Growing MaaS Marketplace

The Malware-as-a-Service (MaaS) marketplace is rapidly expanding, with new strains of malware being regularly introduced and attracting waves of new and previous attackers. The low barrier for entry, combined with the subscription-like accessibility and lucrative business model, has made MaaS a prevalent tool for cybercriminals. As a result, MaaS has become a significant concern for organizations and their security teams, necessitating heightened vigilance and advanced defense strategies.

Examples of Malware as a Service

‍Ransomware as a Service (RaaS): Providers offer ransomware kits that allow users to launch ransomware attacks and share the ransom payments with the service provider.‍
Phishing as a Service: Services that provide phishing kits, including templates and email lists, to facilitate phishing campaigns.‍
Botnet as a Service: Renting out botnets to perform distributed denial-of-service (DDoS) attacks or other malicious activities.
Information Stealer: Information stealers are a type of malware specifically designed to collect sensitive data from infected systems, such as login credentials, credit card numbers, personal identification information, and other valuable data.

How does information stealer malware work?

Information stealers are an often-discussed type MaaS tool used to harvest personal and proprietary information such as administrative credentials, banking information, and cryptocurrency wallet details. This information is then exfiltrated from target networks via command-and-control (C2) communication, allowing threat actors to monetize the data. Information stealers have also increasingly been used as an initial access vector for high impact breaches including ransomware attacks, employing both double and triple extortion tactics.

After investigating several prominent information stealers in recent years, the Darktrace Threat Research team launched an investigation into indicators of compromise (IoCs) associated with another variant in late 2023, namely the Jupyter information stealer.

What is Jupyter information stealer and how does it work?

The Jupyter information stealer (also known as Yellow Cockatoo, SolarMarker, and Polazert) was first observed in the wild in late 2020. Multiple variants have since become part of the wider threat landscape, however, towards the end of 2023 a new variant was observed. This latest variant achieved greater stealth and updated its delivery method, targeting browser extensions such as Edge, Firefox, and Chrome via search engine optimization (SEO) poisoning and malvertising. This then redirects users to download malicious files that typically impersonate legitimate software, and finally initiates the infection and the attack chain for Jupyter [3][4]. In recently noted cases, users download malicious executables for Jupyter via installer packages created using InnoSetup – an open-source compiler used to create installation packages in the Windows OS.

The latest release of Jupyter reportedly takes advantage of signed digital certificates to add credibility to downloaded executables, further supplementing its already existing tactics, techniques and procedures (TTPs) for detection evasion and sophistication [4]. Jupyter does this while still maintaining features observed in other iterations, such as dropping files into the %TEMP% folder of a system and using PowerShell to decrypt and load content into memory [4]. Another reported feature includes backdoor functionality such as:

C2 infrastructure
Ability to download and execute malware
Execution of PowerShell scripts and commands
Injecting shellcode into legitimate windows applications

Darktrace Coverage of Jupyter information stealer

In September 2023, Darktrace’s Threat Research team first investigated Jupyter and discovered multiple IoCs and TTPs associated with the info-stealer across the customer base. Across most investigated networks during this time, Darktrace observed the following activity:

HTTP POST requests over destination port 80 to rare external IP addresses (some of these connections were also made via port 8089 and 8090 with no prior hostname lookup).
HTTP POST requests specifically to the root directory of a rare external endpoint.
Data streams being sent to unusual external endpoints
Anomalous PowerShell execution was observed on numerous affected networks.

Taking a further look at the activity patterns detected, Darktrace identified a series of HTTP POST requests within one customer’s environment on December 7, 2023. The HTTP POST requests were made to the root directory of an external IP address, namely 146.70.71[.]135, which had never previously been observed on the network. This IP address was later reported to be malicious and associated with Jupyter (SolarMarker) by open-source intelligence (OSINT) [5].

Figure 1: Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.

This activity triggered the Darktrace / NETWORK model, ‘Anomalous Connection / Posting HTTP to IP Without Hostname’. This model alerts for devices that have been seen posting data out of the network to rare external endpoints without a hostname. Further investigation into the offending device revealed a significant increase in external data transfers around the time Darktrace alerted the activity.

Figure 2: This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.

Packet capture (PCAP) analysis of this activity also demonstrates possible external data transfer, with the device observed making a POST request to the root directory of the malicious endpoint, 146.70.71[.]135.

Figure 3: PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.

In other cases investigated by the Darktrace Threat Research team, connections to the rare external endpoint 67.43.235[.]218 were detected on port 8089 and 8090. This endpoint was also linked to Jupyter information stealer by OSINT sources [6].

Darktrace recognized that such suspicious connections represented unusual activity and raised several model alerts on multiple customer environments, including ‘Compromise / Large Number of Suspicious Successful Connections’ and ‘Anomalous Connection / Multiple Connections to New External TCP Port’.

In one instance, a device that was observed performing many suspicious connections to 67.43.235[.]218 was later observed making suspicious HTTP POST connections to other malicious IP addresses. This included 2.58.14[.]246, 91.206.178[.]109, and 78.135.73[.]176, all of which had been linked to Jupyter information stealer by OSINT sources [7] [8] [9].

Darktrace further observed activity likely indicative of data streams being exfiltrated to Jupyter information stealer C2 endpoints.

Figure 4: Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.

In several cases, Darktrace was able to leverage customer integrations with other security vendors to add additional context to its own model alerts. For example, numerous customers who had integrated Darktrace with Microsoft Defender received security integration alerts that enriched Darktrace’s model alerts with additional intelligence, linking suspicious activity to Jupyter information stealer actors.

Figure 5: The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).

Conclusion

The MaaS ecosystems continue to dominate the current threat landscape and the increasing sophistication of MaaS variants, featuring advanced defense evasion techniques, poses significant risks once deployed on target networks.

Leveraging anomaly-based detections is crucial for staying ahead of evolving MaaS threats like Jupyter information stealer. By adopting AI-driven security tools like Darktrace / NETWORK, organizations can more quickly identify and effectively detect and respond to potential threats as soon as they emerge. This is especially crucial given the rise of stealthy information stealing malware strains like Jupyter which cannot only harvest and steal sensitive data, but also serve as a gateway to potentially disruptive ransomware attacks.

Credit to Nahisha Nobregas (Senior Cyber Analyst), Vivek Rajan (Cyber Analyst)

References

1. https://www.paloaltonetworks.com/cyberpedia/what-is-multi-extortion-ransomware

2. https://flashpoint.io/blog/evolution-stealer-malware/

3. https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html

4. https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf

5. https://www.virustotal.com/gui/ip-address/146.70.71.135

6. https://www.virustotal.com/gui/ip-address/67.43.235.218/community

7. https://www.virustotal.com/gui/ip-address/2.58.14.246/community

8. https://www.virustotal.com/gui/ip-address/91.206.178.109/community

9. https://www.virustotal.com/gui/ip-address/78.135.73.176/community

Appendices

Darktrace Model Detections

Anomalous Connection / Posting HTTP to IP Without Hostname
Compromise / HTTP Beaconing to Rare Destination
Unusual Activity / Unusual External Data to New Endpoints
Compromise / Slow Beaconing Activity To External Rare
Compromise / Large Number of Suspicious Successful Connections
Anomalous Connection / Multiple Failed Connections to Rare Endpoint
Compromise / Excessive Posts to Root
Compromise / Sustained SSL or HTTP Increase
Security Integration / High Severity Integration Detection
Security Integration / Low Severity Integration Detection
Anomalous Connection / Multiple Connections to New External TCP Port
Unusual Activity / Unusual External Data Transfer

AI Analyst Incidents:

Unusual Repeated Connections
Possible HTTP Command and Control to Multiple Endpoints
Possible HTTP Command and Control

List of IoCs

Indicators – Type – Description

‍

146.70.71[.]135

IP Address