Gozi ISFB RM3 and Me : A Diamond Model Approach

Readers!
Few weeks back I was invited to present at Malware and Reverse Engineering conference (MRE) and topic I chose to present is my understanding and research of Gozi ISFB over the years that is being noticed globally, with specific concentration on threat group operations in Australia.
Purpose of my presentation was to understand and learn about Gozi ISFB RM3 which is highly different from what we have seen in other regions. I have seen many analysis and articles on ISFB but very few provided information about following :
  • Gozi ISFB footprint
  • Adversaries
  • Capabilities
  • Infrastructure used
  • Target victims
The presentation was less technical and highly towards providing awareness on group operates and how we can protect us against the threat and can we? Lets start ..

Overall Statistics


Currently there are 38 individual groups (based on botid they use), across the globe,the table shows top 3 that are seen in Australia.

Infrastructure



    Infrastructure Overlap with Danabot


Above screenshot shows config from Danabot used by Affiliate ID 5 (zeus like) and Gozi ISFB RM3. Here, we can see that same inject server demo[.]maintrump[.]org is being used. This is clear indication that our adversaries are sharing infrastructure and working together.


Keitaro TDS


Keitaro TDS is a traffic distirbution system which is known to be used this group for web traffic filtering and distribution based on geo-location, user agents, device info etc.


BlackTDS


BlackTDS is a multitenant TDS tool that has been advertising its services on underground markets since the end of December 2017. BlackTDS offers a variety of services to its clients that they collectively refer to as a “Cloud TDS.” The operators claim that their Cloud TDS can handle social engineering and redirection to exploit kits (EKs) while preventing detection by bots — namely researchers and sandoxes. BlackTDS also includes access to fresh domains with clean reputations over HTTPS if required – https://www.proofpoint.com/us/threat-insight/post/drive-service-blacktds


Capabilities and Operations


 

With regards to monetization of stolen information we have seen new methods compared to just fund transfer to mule accounts. Few known methods are buying Bitcoins, buying products and resale once received, buying giftcards, cashapp transfer, transfer to paypal etc.

Mule recruitment Sample email


Above screenshot is a sample job advertisement to hire mules. Majority of times these mules are not aware that posters are part of such group. The mules are mostly looking for jobs from several days to weeks and are known to be in less fortunate demographics including students and immigrants. My next blog will concentrate on such environment that is responsible to fuel such activities.


Victims based on Configuration


47 banks on the target config and counting

Sample of Gozi ISFB RM3 configuration

RM3 Loader


When the initial loader (executable) is debugged we can see its version and build. Adversaries are calling it as RM3 – Full form is not known yet. Thanks to Vitali Kremez for the analysis.

Stage 2 inject code to send login info



Storing Victim Data


 


Hypothesized Operating model of the Adversary Group


  • Overlord – the one who looks after complete operations. Possibility they are part of organised crime. Very few evidence on what they are doing with the money beside living life of luxury. P.S. the name overlord is given by me
  • Operations
    • Coders
      • Senior Developers
        • Custom loaders
        • Bot developments
        • Writing banking injects
    • Junior developers
      • QA/review
      • minor updates
    • Botnet managers
      • Hosting providers
      • Traffic distribution system managers
  • Researchers
    • Target research and information gathering : Group of people that either had an account with targeted financial institutions or a disgruntled employee who may share information about target
  • Spammers
  • Phishers : This group is responsible in getting information or login details collected via generic credential phishing who accounts can be use to host initial delivery documents or send out email from
  • Recruitment
    • New coders
  • Sellers : Either sells data or advertised the service on forums
  • Accounts/Finance
    • Mule Operators/recruiters
      • Local
      • fly-in and fly-out
      • fraudsters to create fake business accounts
  • Finance managers : Either receives money from mules or responsible to buy other data/tools that can be used in the operations

Final Words


  • Understand our adversaries motives and intentions and make it hard for them to achieve their objectives.
  • Target what hurts them the most – which is money – if we make it harder for them to get what they want, in long run either they will stop or move else where
  • Another one is sharing – we do talk about sharing, creating standards, do lot of presentation, attend conferences and we have been doing this for years – however, do we need more ? Are we sharing information that useful or actionable ?
  • More involvement of Local authorities and giving them information to help in their investigation instead acting on the information and close out the doors because you did your job.
  • Look at a bigger picture in future – rather than a quick win in present.
  • Emerging technologies seems to be assisting cyber criminals more than organisations due to ease of availability and deployment within their infrastructure. Does these technologies vendors have some kind of compliance or standards or as long as they getting the money. Do organisations understand and assest these technologies and have some logic to detect them based on its footprint ?
  • As the group targets financial organisations, they do access the information via digital channels. Understand how they are accessing, baseline good traffic and monitor their digital identities/footprint. Keen eye will see difference which can be used a detection of such anomalies.
  • Bulletproof hosting providers and their abilities to mask adversarial activities with competitive rates assist further to accomplish objectives which is mostly financial gain.
  • Create mindset towards what these actors are doing and what kind of information they have at their disposal. With this we can answer what can happen. In intelligence, we gather information and assess it and based on that we find something to action on.
  • Lack of cyber laws within a region and corruption to certain extent also assist these cyber criminals to go on without any repurcusions. Can this change ?
  • Organisation concentrate on in-house awareness training and improving security contols and reducing risk by implementing various best practices, however most of the victims are non-employees and unaware of such existent threat. There should be programs to make sure these portential victims are well of an existent threat. Think beyond just a updating a website with known bads.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s