{ "id": "13a58003-67a6-489b-b0ab-685d0318414e", "created_at": "2026-04-06T00:11:38.209586Z", "updated_at": "2026-04-10T13:12:44.02458Z", "deleted_at": null, "sha1_hash": "6ed63c53f3a366456399b093737f4a923b9f4fe6", "title": "Threat Spotlight: GozNym", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1005670, "plain_text": "Threat Spotlight: GozNym\r\nBy Edmund Brumaghin\r\nPublished: 2016-09-27 · Archived: 2026-04-05 20:04:26 UTC\r\nTuesday, September 27, 2016 10:26\r\nThis blog was authored by Ben Baker, Edmund Brumaghin and Jonah Samost.\r\nExecutive Summary\r\nGozNym is the combination of features from two previously identified families of malware, Gozi and Nymaim.\r\nGozi was a widely distributed banking trojan with a known Domain Generation Algorithm (DGA) and also\r\ncontained the ability to install a Master Boot Record (MBR) rootkit. Nymaim emerged in 2013 as malware which\r\nwas used to deliver ransomware and was previously distributed by the Black Hole exploit kit. The code had\r\nvarious anti-analysis techniques, such as the obfuscation of Win32 API calls.\r\nThere have been multiple instances in which the source code of the Gozi trojan has been leaked. Due to these\r\nleaks it was possible for the GozNym authors to make use of the ‘best of breed’ methodologies incorporated into\r\nGozi and create a significantly more robust piece of malware which was now capable of utilizing strengthened\r\npersistence methods and ultimately becoming a powerful banking trojan.\r\nGiven the recent success of the GozNym trojan and the number of targeted attacks seeking to infect victims with\r\nthis malware, Talos decided to take a deep look at the inner workings of this particular malware family. Talos\r\nstarted by examining the binaries associated with GozNym as well as the distribution mechanisms. Additionally,\r\nwe were able to successfully reverse engineer the DGA associated with a GozNym command and control (C2)\r\ninfrastructure and sinkhole that botnet. This gave Talos great visibility into the size and scope of this threat and the\r\nnumber of infected systems beaconing to C2 servers under adversarial control.\r\nhttps://blog.talosintelligence.com/goznym/\r\nPage 1 of 11\n\nA Constantly Evolving Threat\r\nIn analyzing available telemetry data, Talos uncovered four different variants of GozNym that exhibited slightly\r\ndifferent characteristics with respect to the Domain Generation Algorithms (DGAs) used to generate the list of C2\r\nservers to connect to. However, it is possible that they were all created and deployed by the same threat actor or\r\ngroup as there are several overlaps in regards to the use of the same C2 infrastructure, where the binaries were\r\nbeing distributed from, and the phishing campaigns associated with the distribution of the samples. In several\r\ncases, samples using different variations of the DGA contacted the same C2 servers. Likewise, servers used to\r\ndistribute the malicious binaries were observed serving up multiple variants of GozNym.\r\nInitial Infection Vector\r\nTalos identified several spear phishing campaigns which were used to distribute the GozNym malware. The\r\ndownloader was delivered via Microsoft Word documents containing VBA macros which were responsible for\r\nexecuting HTTP GET requests to download and execute a malicious binary. Analysis of the emails associated with\r\nthese spear phishing campaigns showed that the adversary was selective and actively attempting to stay under the\r\nradar.\r\nThe theme of this spear phishing campaign was similar to others commonly seen in email-based threats whereby\r\nmessages will be directed to the recipient to open an attached \"tax invoice\" or \"payment document\". The\r\nadversary took the time to profile each of the organizations targeted in these campaigns. In many cases that Talos\r\nanalyzed, a single email was sent to each organization with the sole recipient being an employee in the accounting\r\nor finance department of the targeted organization. Additionally, the contents of each message were tailored to the\r\norganization and featured attachment names also appropriately tailored.\r\nFigure 1: Email with Subject: Invoice [Random Digits] for [Org Name] via Intuit QuickBooks\r\nIn one such campaign we observed the attached MS Word documents containing the malicious VBA macros were\r\nmade to appear as legitimate payment invoices from Bank of America. The actor also tried to further convince the\r\nuser to enable macros within Microsoft word by providing a notification prompt.\r\nhttps://blog.talosintelligence.com/goznym/\r\nPage 2 of 11\n\nFigure 2: Example Attachment #1\r\nIn another campaign, the attachment was delivered as a \"Tax Invoice\", and images included references to Intuit\r\nQuickBooks. The same notification was used again to try and coerce the victim to enable macros.\r\nFigure 3: Example Attachment #2 \r\nhttps://blog.talosintelligence.com/goznym/\r\nPage 3 of 11\n\nIn the event that macros are enabled by the victim, the VBA downloader is then used to retrieve a malicious binary\r\nfrom an attacker controlled web server and executed locally on the system. We extracted the VBA macros from a\r\nMicrosoft Word document which resulted in the following obfuscated code:\r\nFigure 4: Example Obfuscated Downloader\r\nThe VBScript has been obfuscated using ROT substitution and different base values have been used throughout to\r\ndetermine how to rotate. Once the obfuscation has been removed, it is obvious exactly what this script intends to\r\ndo, which is to download a binary and execute it, thus infecting the system.\r\nhttps://blog.talosintelligence.com/goznym/\r\nPage 4 of 11\n\nFigure 5: Example Deobfuscated Downloader\r\nAnalyzing GozNym\r\nOnce the malicious binary has been executed, the malware unpacks itself and allocates a buffer into the\r\nrundll32.exe process and copies its unpacked contents into it. More specifically, it executes rundll32.exe using a\r\nfake command argument consisting of a random command line option and a random DLL name. It must be noted\r\nthat this is not the standard way to call to rundll32.exe, and that the dll does not actually exist. The malware will\r\nattempt to inject the main unpacked data into this process. If successful, it will begin communications with the C2\r\nservers.\r\nExample: rundll32.exe -ya ngfk.dll\r\nThe GozNym samples Talos analyzed used several anti-analysis and obfuscation techniques in an attempt to make\r\nanalysis more difficult and time consuming. One obfuscation technique employed by the authors of this malware\r\nis related to the way in which API calls were obfuscated. The sample implements its own method for importing\r\nfunctions, resolving their addresses in a custom way, at runtime. API calls are done by pushing two hard coded\r\nvalues to the stack, then jumping to a complex function that is responsible for resolving the API call.\r\nhttps://blog.talosintelligence.com/goznym/\r\nPage 5 of 11\n\nAll of the function calls are done from the same instruction: a JMP located at a fixed address in memory. The\r\nreturn address is not the real call point, but a randomly chosen gadget in a library function that will always contain\r\nthe instruction CALL EBX. EBX contains a given address in the API resolution code. This code adjusts the stack\r\nthen returns back to the actual caller. By using this method, the malware obfuscates the address at which the API\r\nfunction is called - the analyst will not be able to obtain the actual caller address when the API function is called\r\nor when it returns back, because it will not reside in the stack. Additionally, control flow is obfuscated, computing\r\nthe target address of JMP/CALL instructions at runtime. Similarly, constants are XORed, and decoded by calling a\r\nfunction that accepts a parameter in EAX, then returns the deobfuscated constant into EAX.\r\nAnother control flow redirection obfuscation consists of creating a thread to execute a gadget that returns into the\r\naddress pointed by the parameter passed to the thread function, that is itself a shellcode that jumps into a different\r\nfunction through a CALL EAX.\r\nGozNym contains at least one encrypted memory region which is only decrypted on-demand. The sample that was\r\nanalyzed uses a function to copy individual data items to and from this memory region, in such a way that all of\r\nthe data inside this region is always encrypted and the decrypted data resides in memory temporarily. The malware\r\nmakes heavy use of custom structures to store and pass data during execution, and well as to implement custom\r\nthread synchronization mechanisms.\r\nC2 Characteristics \u0026 Encryption\r\nThe malware initially attempts to determine if the infected system has internet connectivity by performing a DNS\r\nto query for the A records of google.com and microsoft.com. Later, it attempts to query for its pseudo-randomly\r\ngenerated domains using Google's DNS servers (8.8.8.8 and 8.8.4.4). Once it has found a running C2 server,\r\nGozNym uploads system survey information to the server via RC4 encrypted HTTP POST requests. The system\r\nsurvey includes a Machine ID, Windows Version, as well as checksums of username, computer name, and\r\nencryption keys stored in the sample. The RC4 encryption key is generated using a partial key stored in the binary,\r\nfollowed by a randomly generated series of bytes. GozNym builds a buffer containing the randomly generated part\r\nof the key, the encrypted data, as well as the sizes of both of these byte arrays. It then Base64 encodes this buffer,\r\nand sends it as HTTP POST data to a C2 server.\r\nGozNym puts a lot of effort into being difficult to detect in network traffic. Every field in the C2 communications\r\nis either randomly generated or encrypted using the partially-random key. The URL arguments can be randomly\r\ngenerated with a random number of arguments or can be hardcoded in the malware configuration data. The\r\ndomains are randomly generated and the User-Agent strings are generated by Windows API and therefore not\r\nstatic.\r\nReversing the DGA\r\nTalos discovered multiple DGA variants with differing configurations, and chose to report in-depth on the most\r\ninteresting one. We are actively working to sinkhole all of the botnets that we find. GozNym supports two stages\r\nof operation in order to find a viable command and control IP. Additionally, it supports two methods of querying\r\ndomains: a simple gethostbyname API call and a more complex custom DNS protocol implementation using either\r\nhttps://blog.talosintelligence.com/goznym/\r\nPage 6 of 11\n\n8.8.4.4 or 8.8.8.8 as its server. In the latter, it will send UDP packets and parse the response to retrieve a DNS\r\nresolution.\r\nStage 1\r\nIn the first stage of DGA, a variation of the XORShift Pseudo-Random Number Generator (PRNG) is used to\r\ncreate a list of fifteen domains. The PRNG is seeded with a bit-shifted value of the current day, as well as two hard\r\ncoded DWORDs. Each domain is between 5 and 12 lowercase letters long, followed by a randomly selected TLD\r\nof .net, .com, .in, or .pw. GozNym then uses Google’s DNS server to query each domain, and checks if the IP\r\nresponses are publicly routable. Once it resolves 2 different IPs, it uses those in the second stage of the DGA.\r\nStage 2\r\nGozNym uses the same DGA functions, but this time replacing the hard coded DWORD seeds with the IP\r\naddresses from the first stage DNS query. GozNym creates a new list of 128 domains ordered into a ‘semi-colon-separated-value’ string, but instead of resolving them, it forces the first domain in the list to use the TLD of .com.\r\nIn this process, it finds the first “.” character and substitutes the next 4 characters by “com;”. Considering that the\r\nDGA algorithm generates TLDs of both 2 or 3 characters as stated above, a single character from the second\r\ndomain may be overwritten.\r\nNext it creates a CRC32 hash of the entire domain list, and a second hash based on XOR and bit rotation, to\r\nfinally sum up the two hashes. It looks for the result in a table of 360 hashes embedded in the binary, which means\r\nthe developers have already calculated which seeds and second stage domains they intend to use for at least 360\r\ndays. If the hash is inside the table, gethostbyname is used to query the first domain in the list. By default,\r\ngethostbyname returns a single IP address that a domain resolves to but may return several. The second stage\r\ndomains we’ve observed used four IP addresses for this stage.\r\nGozNym then uses XOR and SUB operations to transform the IPs from the DNS response to usable IPs. One of\r\nthe IPs correspond to a checksum of the rest. In order to validate the checksum, it iterates every IP to check if it\r\ncorresponds to the checksum of the rest. When it finds this checksum, it removes it from the IP list and returns\r\nback the list of IPs. If it cannot verify the IP list checksum, it will return no IP.\r\nThe last check is performed after the first initial contact. The server will return an encrypted list of 4 hashes\r\ncorresponding to the domain resolved in the second stage. If the checksum does not match, the sample will not\r\ncontinue processing the contents of the response.\r\nSinkholing the Unsinkable\r\nGozNym’s DGA authentication can seem daunting at first, with 32 bits from a transformed version of the date,\r\nfollowed by 64 bits of entropy from IPs received from the first DNS response. Those 96 bits are used for seeding\r\nthe random number generator, then constructing a string with 128 randomly generated domains and verifying the\r\nchecksum of the result. The critical flaw in this authentication is the fact that the final checksum is only 32 bits,\r\nwhich is relatively easy to brute force. Brute forcing scales exponentially with length, so trying all possible seed\r\nIPs (64 bits of entropy) would take over 4 billion times as long as brute forcing any seeds that matches the 32 bit\r\nhash.\r\nhttps://blog.talosintelligence.com/goznym/\r\nPage 7 of 11\n\nTalos developed scripts to replicate GozNym’s DGA and brute force valid IP ranges to find valid Second Stage\r\nDGA seeds. The date is non-trivially incorporated in the seeding process, so we had to brute force a new set of\r\nseed IPs for each day we wanted to sinkhole. Each attempt required around 1000 calls to the PRNG to generate\r\neach character in the domain list, as well as CRC32 hashing the domain list. The probability of any random set of\r\nseed IPs causing a hash collision is about 1 in 11 million. We were able to generate one hash collision per 5 hours\r\nusing a pretty beefy desktop computer. Each hash collision meant that for a single day, we had found a working set\r\nof seed IPs and the domain GozNym would attempt to contact after receiving those seed IPs.\r\nAnother big mistake in GozNym’s DGA was in the way it treated the list of first stage domains. If the first domain\r\nin the list returned a valid set of seed IPs, GozNym would never attempt to contact any other domains in that list.\r\nBy using a hash collision on the first domain, we could prevent GozNym victims from attempting to contact any\r\nof the other domains in the list. The machines infected with GozNym would beacon to our sinkhole server once,\r\nthen get stuck in a loop with lots of sleeping and occasionally querying Google’s DNS for our sinkholed domains.\r\nProfiling the Botnet\r\nOur sinkhole server received 23,062 beacons within the first 24 hours of sinkholing GozNym. Each infected\r\nmachine would only send one beacon before realizing we weren’t responding, so that roughly corresponds to one\r\nbeacon per victim. The most notable exception would be sandboxes, which may beacon out several times from a\r\nsmall set of IPs. We received beacons from 1854 unique IPs.\r\nHere is a breakdown of the top countries from which beacons were received:\r\nFigure 6: GozNym Unique IPs by Country\r\nConclusion\r\nAs can be seen from the characteristics associated with the spam campaigns used to distribute GozNym to\r\npotential victims, a good deal of effort was spent determining who to target within organizations and spear\r\nphishing was used in an effort to evade detection and avoid alerting administrators. Additionally, the anti-analysis\r\nand evasion techniques employed by the malware indicate that the malware authors were concerned with making\r\nhttps://blog.talosintelligence.com/goznym/\r\nPage 8 of 11\n\nanalysis by security analysts more difficult and time consuming. Spear phishing attacks continue to be used by\r\nthreat actors attempting to infect organizations. This is likely due to the continued success of these types of\r\nattacks. GozNym highlights the dangers of phishing campaigns and the importance of ensuring that organizations\r\nare protected from these types of threats. As shown by our analysis, GozNym is a constantly evolving threat that\r\nwill likely continue to morph moving forward as attackers seek to add additional features and improve upon the\r\nones currently present within the trojan.\r\nTalos is also releasing the following scripts that can be used to perform analysis of GozNym samples:\r\nDGA_release.py which simulates the DGA used by GozNym.\r\nExtract_parameters_from_http_post.py which extracts parameters from the HTTP POST requests that\r\nare sent to C2 servers.\r\nDecrypt_response.py which allows for a decryption of the response payload. These tools are available in\r\nthe Talos Github repository located here.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nThe Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network\r\nactivity by threat actors. ESA can block malicious emails sent by threat actors as part of their campaign.\r\nIndicators of Compromise\r\nMaldocs (SHA256):\r\nbf1601d89f816312278ac09b0c21acdc854c4d21e1443f5170b49c5f64ffcc11\r\n4b2cda69112b4d25c25da0df18cad55dd78fed78e9525c1f48ff5b86517af505\r\n48e7c4357cb3f19ca931951b502fcb4a50c18240d2b21c08e54f7086dde35637\r\nc31878e2250f105b1ac52f9584d9f3d67fd07f2795c20cd1fdbe738fa24f639b\r\nhttps://blog.talosintelligence.com/goznym/\r\nPage 9 of 11\n\n4b9f9894953843c5929885e7ca0bfc16fd6b718c7567f83f6cc6881b0c17fb48\r\ne00d90dea174fa51b07d2d991614630721c04d12810fe72a40dea8fd6edfa3f1\r\nfa4f949b0bd6c4f07aee82027c40521ccdc6f4f3d930335caa6dc9bc2fab5140\r\na68cec90af59daa1e71b4a0c5cf07c62ddc5440e9b1d4303bd111526d0972881\r\n7e42ec7809fd48590c1eb6c5f936187ce7c31177adff831837e9bcc7549ed440\r\n8ea0d38bd3857adc74eebafc548393ca982dbd7cb3a89a0499e453b05938cb6b\r\naabd5d71c4251f8a56a0434c37ed88aba73d44bd45a66d054123c86665428778\r\n361231d27c6fe4d3f9176c7c5ebfba96618d15ea29f52625ae522054f81115a0\r\n7b90dcf26d56cc4b6325675cb973f122c2d98904eff540afd917b0552aa9c68b\r\n169384f163eb14b23d2bab8a9269ebd8940b0ec51bcd1767d03c43052c0bb139\r\n443f5760fda53f19db6f483c2fcce5658bebaa3d40a9e535e7de4723f3b40e13\r\n212aded63a3af0996f183da175dbd69ad830299cf3b8d97c7e10535c50b29de9\r\n31c4ae8dbf12f4f9999929602cf24179011c30d1599d36db190af7d85ed2ac1b\r\na56c177c39bfaa4c50d28b549f7b509299135e0bcd82fb694b21bcbde90a7c66\r\n328fa5803334650ac130105c08251d47a3f447f114ead9d012308e11769379cc\r\n06580e38fe29b2e7ce3a53df4c5ccb389eaa21b8a2f0f4e2dbd880b3c5c5a4cd\r\nc16036c5fc0c25970ba55e5e9d1bb0be8a4044f39495679deb4900c12c1e57e3\r\n46001cf7063cffc00f2fcea7828084f6537e7cc500f3372b2014ca42b21a0dcc\r\ncc86b2b5939ba56a33395121a618c61cfb7cde19fa76231a3a5e872bf1262f34\r\nMalicious Binaries (SHA256)\r\n17aa5711b59e389ffb65294b8281d3b5f39ca18ac1ac861327e7d8548f49a4d3\r\neb10ec30f2fec3830daee6ad502e527ad6ef67e4591d545b1a84dde300b3edb5\r\n55f9cd6cbed53ccc26d6d570807a18f91d9d8c10db352524df424f356d305a6e\r\nc58d987be377e4fa3d512a21fdb522bd894b8d91536330a9abebbb461fd093b7\r\n17aa5711b59e389ffb65294b8281d3b5f39ca18ac1ac861327e7d8548f49a4d3\r\nb98a835c6239c63a6ada26b92a4605264a9a36130bebe288b21c51edd750dea2\r\n87be9450f217180f09436d3307c7441d090ccfcedfcf6ce1275e8b0d2c9f4470\r\n9b52bd5194475d24b6f0e2d191a8e5bc943f80153a3768ce749dc5f93320e52f\r\nbac9c27a047a7fa4cb35f84fd7f63a87ce79e01c91944c48c35854cb891adf2c\r\n65a8909d4f61aff28a66ee4682c7722e68551fd2dc5fce2c8e160f89b2685971\r\n3577f0b44ded3f0207910c5e624a7a2667fea4fff0416f8c3cc37995c494e9e2\r\nDistribution Servers\r\nmorelikestoday[.]com\r\ncarsi12[.]com\r\nsociallyvital[.]com\r\nC2 Domains\r\nmbcqjsuqsd[.]com\r\nkcrznhnlpw[.]com\r\nhttps://blog.talosintelligence.com/goznym/\r\nPage 10 of 11\n\nhumzka[.]com\r\nSource: https://blog.talosintelligence.com/goznym/\r\nhttps://blog.talosintelligence.com/goznym/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/goznym/" ], "report_names": [ "goznym" ], "threat_actors": [ { "id": "b753c6a8-a83d-47bc-829d-45e56136eb7d", "created_at": "2023-01-06T13:46:38.97802Z", "updated_at": "2026-04-10T02:00:03.169611Z", "deleted_at": null, "main_name": "GozNym", "aliases": [], "source_name": "MISPGALAXY:GozNym", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434298, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6ed63c53f3a366456399b093737f4a923b9f4fe6.pdf", "text": "https://archive.orkl.eu/6ed63c53f3a366456399b093737f4a923b9f4fe6.txt", "img": "https://archive.orkl.eu/6ed63c53f3a366456399b093737f4a923b9f4fe6.jpg" } }