This infamous banking malware has now made a return, and is using the Dark Cloud botnet to evade detection by law enforcement agencies.
Cisco Talos – a cybersecurity and threat intelligence agency – has warned that the trojan’s operators are now running a low-volume, targeted campaign to lure victims.
"Our engineers have discovered that while the Gozi ISFB campaigns are ongoing, the distribution and C2 infrastructure does not appear to stay active for extended periods, making analysis of older campaigns and samples more difficult. The attackers appear to be very quickly moving to new domains and IP addresses, not only for each campaign, but also for individual emails that are part of the same campaign," a Cisco Talos research paper reads.
Gozi’s original creator was caught and prosecuted, but catching the malware’s current operators is likely to be more difficult, as they are employing new techniques to improve anonymity, as outlined by the below excerpt from the research paper.
“Attackers are continuing to modify their techniques and finding effective new ways to obfuscate their malicious server infrastructure in an attempt to make analysis and tracking more difficult. Talos has identified the Dark Cloud botnet being used for a multitude of malicious purposes,” the paper adds.