{
	"id": "c85bb163-4646-44ba-b0e8-f20380fc85c6",
	"created_at": "2026-04-06T00:09:18.524444Z",
	"updated_at": "2026-04-10T13:12:49.752588Z",
	"deleted_at": null,
	"sha1_hash": "3854d6a3aad4a5f767800a5b32695e74c579ae90",
	"title": "Gozi ISFB Remains Active in 2018, Leverages \"Dark Cloud\" Botnet For Distribution",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1037124,
	"plain_text": "Gozi ISFB Remains Active in 2018, Leverages \"Dark Cloud\"\r\nBotnet For Distribution\r\nBy Edmund Brumaghin\r\nPublished: 2018-03-06 · Archived: 2026-04-05 22:01:18 UTC\r\nTuesday, March 6, 2018 10:59\r\nThis blog post was authored by Edmund Brumaghin and Holger Unterbrink, with contributions from Adam\r\nWeller.\r\nExecutive Summary\r\nGozi ISFB is a well-known and widely distributed banking trojan, and has been in the threat landscape for the past\r\nseveral years. Banking trojans are a type of malware that attackers leverage in an attempt to obtain banking\r\ncredentials from customers of various financial institutions. The source code associated with Gozi ISFB has been\r\nleaked several times over the years, and the robust features available within the Gozi ISFB code base have since\r\nbeen integrated into additional malware, such as GozNym. Talos published detailed research about GozNym in a\r\nSeptember 2016 blog post. Since then, Talos has been monitoring Gozi ISFB activity, and has discovered a series\r\nof campaigns over the past six month that have been making use of the elusive \"Dark Cloud\" botnet for\r\ndistribution. In investigating the infrastructure associated with Dark Cloud, we identified a significant amount of\r\nmalicious activity making use of this same infrastructure, including Gozi ISFB distribution, Nymaim command\r\nand control, and a variety of different spam campaigns and scam activity. Talos is publishing details related to\r\nongoing Gozi ISFB activity, the Dark Cloud botnet, as well as the additional threats we have observed using this\r\ninfrastructure over the past couple of years.\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 1 of 15\n\nCampaign Details\r\nTalos has observed several distribution campaigns over the past few months that exhibit unusual characteristics.\r\nThese campaigns appear to be relatively low-volume, with the attackers choosing to target specific organizations.\r\nThey do not appear to send large amounts of spam messages to the organizations being targeted, instead choosing\r\nto stay under the radar while putting extra effort into the creation of convincing emails, in an attempt to evade\r\ndetection while maximizing the likelihood that the victim will open the attached files.\r\nOur engineers have discovered that while the Gozi ISFB campaigns are ongoing, the distribution and C2\r\ninfrastructure does not appear to stay active for extended periods, making analysis of older campaigns and\r\nsamples more difficult. The attackers appear to be very quickly moving to new domains and IP addresses, not only\r\nfor each campaign, but also for individual emails that are part of the same campaign. The campaigns that Talos\r\nanalyzed took place during the fourth quarter of 2017, and have continued into 2018, with new campaigns being\r\nlaunched every week in an attempt to ensnare more victims and generate revenue for the attackers.\r\nMalicious Spam Campaigns\r\nThis malware is distributed using malicious spam email campaigns, which feature Microsoft Word file\r\nattachments that function as malware downloaders. The emails appear targeted in nature, an example of which is\r\nshown below.\r\nInterestingly, the attackers chose to create emails that appear to be part of an existing email thread, likely in an\r\nattempt to convince the victim of their legitimacy. In addition to crafting the email delivering the malicious Word\r\ndocument, they also create additional email subjects and accompanying bodies, which were included with the\r\nmalicious email. This is not something that is typically seen in most malicious email campaigns, and shows the\r\nlevel of effort the attackers put into making the emails seem legitimate to maximize the likelihood that the victim\r\nwould open the attached file.\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 2 of 15\n\nFigure 1: Example Email Message\r\nWhen opened, the attached Word document displays the following decoy image that makes it appear as if the\r\nattachment is a document that was created using Office 365. It instructs the user to \"Enable Editing\" and then\r\n\"Enable Content.\"\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 3 of 15\n\nFigure 2: Malicious Word Document\r\nIn the case that the victim follows the instructions, macros embedded within the Word document will execute,\r\nfacilitating the download and executing the malware from an attacker-controlled server. The infection process\r\nassociated with these emails is described in the following section.\r\nInfection Process\r\nAs mentioned above, the Word documents come with an embedded, obfuscated visual basic for applications, or\r\nVBA, macro, which in most cases, is executed when the document is closed by the victim, as shown in the\r\nfollowing screenshot. Executing the macro when the document is closed is a clever trick to bypass some sandbox\r\nsystems, which only open the documents, but never close them during analysis.\r\nFigure 3: Obfuscated VBA Macro\r\nOnce deobfuscated, the macro does nothing more than simply download an HTA file from a web server. Figure 4\r\nshows the deobfuscated final call from the script above. In other documents, they are using different or slightly\r\nmodified VBA macros, but deobfuscated, they all do a similar final call, similar to what is shown in Figures 4 and\r\n5.\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 4 of 15\n\nFigure 4: Final Macro Call\r\nFigure 5: Alternate Macro Call\r\nDue to the fact that HTA files are seen as local applications, the content is executed as a fully trusted application.\r\nTherefore, no security-related questions are asked to the user. The content that is downloaded from\r\nqdijqwdunqwiqhwew[.]com is an obfuscated JavaScript script (see Figure 6)\r\nFigure 6: Obfuscated JavaScript\r\nThe lopomeriara variable is a very long obfuscated string which we have shortened (...) in the screenshot.\r\nDeobfuscated, it resolves to:\r\nFigure 7: Deobfuscated Javascript\r\nIn other words, it is using ActiveX to execute a PowerShell script, which downloads and executes the malware to\r\nbe installed on the victim's machine. In this case the filename was 84218218.exe.\r\nWe have analyzed more than 100 malicious Word documents from this campaign, and it appears that the vast\r\nmajority of them are individualized. The individualized ones all appear similar, but all their hashes are different,\r\nand their VBA code is either completely different or at least slightly modified. Even the image that the adversaries\r\nare using in these documents (see Figure 8) is not the same — it differs by slightly changed color values and\r\npixels as you can see in Figure 9.\r\nFigure 8: Document Image\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 5 of 15\n\nFigure 9: Image Comparison\r\nAn example of the slightly changed VBA code skeleton can be seen in Figure 10. The adversaries are changing\r\nvariables, function names, arrays, etc. for more or less every single Word document. Nevertheless, in the majority\r\nof documents, the basic code structure stays the same. Sometimes they are re-ordering the functions, or they add\r\nor remove a few lines of code. But as shown in Figures 10 and 11, the main algorithms stay the same.  \r\nFigure 10: VBA Skeleton Comparison\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 6 of 15\n\nFigure 11: Additional Comparison\r\nAs mentioned above, there are some documents where the VBA script is completely different. The rightmost\r\nimage in Figure 12 is an example of this. Deobfuscated, it is doing the same known \"http://\u003csome server\u003e/...php?\r\nutma=....\" HTTP request which we have seen before.\r\nFigure 12: VBA Code Differences\r\nWe focused the majority of our investigation on campaigns between the fourth quarter of 2017 until the present,\r\nbut based on other reports and our telemetry data, they have likely been going on for a couple of years. Within the\r\ndata that we collected, the adversaries have changed the images within the Word documents from time to time\r\n(Figures 13 and 14) and used different VBA code in their malicious macros. The schema stays the same, the pixels\r\nand color values of the pictures inside the different campaigns are slightly changed, but the message stays the\r\nsame.\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 7 of 15\n\nFigure 13: Earlier Document Image\r\nFigure 14: Document Image Font Differences\r\nAn interesting point is that some of them are even localized, as you can see below in Figure 15. This matches the\r\ncorresponding phishing emails we talked about before. The separate attacks are highly customized and targeted.\r\nFigure 15: Document Image Localization\r\nPayload\r\nThe payload (e.g. 84218218.exe as described above), is different depending on the specific  campaign. The vast\r\nmajority of payloads are banking trojans based on the Gozi ISFB code base, but we have also seen executables\r\nidentified by AV products as belonging to other malware families, such as CryptoShuffler, Sennoma and SpyEye.\r\nWe have looked closer into the payload mentioned above, and we can clearly identify it as ISFB. Its functionality\r\nis very similar to the one described in this report by the Polish Computer Emergency Response Team (CERT). For\r\nexample, the sample is using the same rolling XOR algorithm to protect its strings.\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 8 of 15\n\nThe anti-VM methods used within this sample are also identical — the BSS section encryption and the dropper\r\npayload setup are very similar. The dropper is also obfuscated with useless strings. It is interesting to note that in\r\nthe sample we analyzed, the DGA code mentioned in the paper above is included, but it is never used due to its\r\nconfiguration. The sample we analyzed was using a hardcoded domain to communicate with the C2 server. This\r\ndomain is tmeansmderivinclusionent[.]net. The sample was not configured to use TOR.\r\nRegarding the decryption of the BSS section, this sample presents a particularity. It has a loop, which creates\r\nsmall temporary files with a random file name. After creating the files, it queries their creation file time. Then, it\r\napplies some transformations to the four least significant bytes of this timestamp to generate a one-byte value.\r\nDue to the transformation algorithm, this will result in a value between 0x00000008 and 0x000000FF. See the\r\npseudocode below:\r\nt = t \u003e\u003e 16\r\nt = t \u0026 0x000000F7\r\nt = t + 8\r\nThis one-byte value is then added to the decryption key. With this key, the malware tries to decrypt the BSS\r\nsection. If the decryption fails, it starts the loop again, and creates the next file until the section has been properly\r\ndecoded. This technique seems to replace  the anti-sandbox technique based on mouse movement mentioned in\r\nprevious reports. Although this approach would not hinder dynamic analysis in a full-system VM, we believe it\r\ncould  be an attempt to bypass simpler application-level emulators that may not properly implement the Windows\r\nAPI (e.g., those which might return a fixed timestamp).\r\nThe malware loader contains two versions of the same DLL. One is a 32-bit DLL, and the other is a 64-bit DLL,\r\nboth of which contain the malware's hardcoded configuration. The way they store the DLLs and configuration\r\nvalues is by leveraging a set of structures indexed in an array located right after the section table (referred to as FJ-struct in the report mentioned above). After the decryption, depending on the victim machine, either the 32-bit or\r\nthe 64-bit DLL is injected into the explorer.exe process running on the victim machine.\r\nThe Dark Cloud Botnet\r\nIn analyzing the domains and associated infrastructure used to distribute this malware, as well as the associated\r\nC2 domains, Talos identified significant overlap between the infrastructure used in these campaigns and what has\r\nbeen described as being associated with a botnet referred to as \"Dark Cloud.\" This botnet was initially described in\r\n2016 in a blog post here. This botnet is interesting, as it was reportedly initially created to provide a \"bulletproof\"\r\nway to host several carding sites. It has since expanded, and is also being used for the distribution and\r\nadministration of various malware families. During our analysis of the infrastructure being used, we identified\r\nsignificant Gozi ISFB and Nymaim distribution and C2, adult dating spam, various carding resources and other\r\nmalicious activities from this infrastructure.\r\nThere are several interesting characteristics associated with this particular botnet. One of the most prominent is the\r\nuse of fast flux techniques, which makes tracking the backend infrastructure more difficult. By frequently\r\nchanging the DNS records associated with the malicious domains, attackers can make use of an extensive network\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 9 of 15\n\nof proxies, continuously changing the address of the IP being used to handle communications to the web servers\r\nthe attacker controls.\r\nTalos observed that the time-to-live (TTL) value for DNS records associated with domains used in these malware\r\ncampaigns were typically set to 150, allowing the attackers to issue DNS record updates every three minutes.\r\nFigure 16: Sample DNS TTL Values\r\nAs we began investigating the domains and IP addresses associated with the distribution and post-infection C2 of\r\nGozi ISFB, we noticed that in most of the cases the same infrastructure was being used by the various carding\r\nforums referenced in the KrebsOnSecurity article mentioned above. Using passive DNS data, we collected every\r\nIP address that the domains under investigation had been seen resolving to. We also performed the reverse\r\noperation, collecting every domain that had ever been seen resolving to the IP addresses we previously collected\r\nin an attempt to get the most complete picture of the infrastructure.\r\nOnce we had this information collected, we began to investigate all of the activity that had been observed\r\nassociated with this infrastructure. What we discovered was a laundry list of cybercriminal activities, all being\r\nconducted using this same infrastructure over the past couple of years.\r\nOne of the most notable carding forums leveraging this fast flux botnet is known as Uncle Sam.\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 10 of 15\n\nFigure 17: Uncle Sam Website\r\nIn addition to Uncle Sam, we also observed the following carding sites and forums also making use of this\r\ninfrastructure:\r\nPaysell\r\nTry2Swipe\r\nCVVShop\r\nCsh0p\r\nRoyalDumps\r\nMcDuck\r\nPrvtzone\r\nVerified\r\nNote that in several cases, the site owners had registered their domains using multiple TLDs (such as .BZ, .WS\r\nand .LV TLDs, for example).\r\nWe wrote a script that captured all of the IP addresses that the Uncle Sam website resolved to over a 24-hour\r\nperiod. We determined that over this period, the website had resolved to 287 unique IP addresses. This equates to\r\nan IP rotation of approximately 12 times per hour, or every five minutes. This demonstrates just how fluid the\r\nDNS configuration associated with these domains is and how much infrastructure is being used by these attackers.\r\nIn addition to various carding websites, we also identified a significant number of Nymaim samples which were\r\nbeaconing out to IP addresses within this botnet. Nymaim is a malware family that functions as a downloader for\r\nadditional malware, most commonly seen associated with the delivery of ransomware.\r\nTalos also observed that over the past couple of years, several of the domains we investigated were hosting fake\r\nmail generator applications, primarily used to generate spam messages associated with various adult dating\r\nwebsites.\r\nGeographic Distribution\r\nIn analyzing all of the infrastructure associated with this botnet, we identified that the attackers appear to be\r\nactively avoiding using proxies and hosts located in Western Europe, Central Europe and North America. The\r\nmajority of the systems we analyzed were located in Eastern Europe, Asia, and the Middle East. Below is a\r\ngraphic showing where the largest number of systems were located globally.\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 11 of 15\n\nFigure 18: Geographic Heat Map\r\nAdditionally, the following bar graph shows the hosting providers around the world that were most heavily used\r\nfor hosting the systems used by this botnet.\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 12 of 15\n\nFigure 19: Most Impacted ASNs\r\nTalos is continuing to investigate and track the operations of this botnet to ensure customers remain protected\r\nfrom the various threats that are associated with it.\r\nConclusion\r\nGozi ISFB is a banking trojan that has been used extensively by attackers who are targeting organizations around\r\nthe world. It has been around for the past several years, and ongoing campaigns indicate that it will not be going\r\naway any time soon. Attackers are continuing to modify their techniques and finding effective new ways to\r\nobfuscate their malicious server infrastructure in an attempt to make analysis and tracking more difficult. Talos\r\nhas identified the Dark Cloud botnet being used for a multitude of malicious purposes. We will continue to\r\nmonitor these threats as they continue to evolve over time to ensure that customers remain protected and the\r\npublic is informed with regards to continued use of threats such as Gozi ISFB, Nymaim and others.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 13 of 15\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated\r\nwith this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase onSnort.org.\r\nSNORT IDs: 39686, 42894\r\nIndicators of Compromise (IOC)\r\nMalicious Document Hashes\r\nA full list of malicious documents associated with these campaigns can be found here.\r\nDomains\r\nA full list of domains associated with these campaigns can be found here.\r\nIP Addresses\r\nA full list of IP addresses associated with these campaigns can be found here.\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 14 of 15\n\nExecutable File Hashes\r\nA full list of executable hashes associated with these campaigns can be found here.\r\nSource: http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nhttp://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html"
	],
	"report_names": [
		"gozi-isfb-remains-active-in-2018.html"
	],
	"threat_actors": [
		{
			"id": "b753c6a8-a83d-47bc-829d-45e56136eb7d",
			"created_at": "2023-01-06T13:46:38.97802Z",
			"updated_at": "2026-04-10T02:00:03.169611Z",
			"deleted_at": null,
			"main_name": "GozNym",
			"aliases": [],
			"source_name": "MISPGALAXY:GozNym",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434158,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3854d6a3aad4a5f767800a5b32695e74c579ae90.pdf",
		"text": "https://archive.orkl.eu/3854d6a3aad4a5f767800a5b32695e74c579ae90.txt",
		"img": "https://archive.orkl.eu/3854d6a3aad4a5f767800a5b32695e74c579ae90.jpg"
	}
}