Trojan:Win32/Gozi (also known as Ursnif or ISFB) is one of the most sophisticated, enduring, and financially devastating banking trojans in cybersecurity history.
Understanding Gozi (Ursnif)
For the general public, a Gozi infection results in emptied bank accounts and stolen identities. For cybersecurity experts, Gozi represents a masterclass in malware engineering. Its leaked source code in 2010 spawned numerous variants, making it a cornerstone of modern financial cybercrime. It is specifically designed to steal banking credentials, intercept two-factor authentication (2FA) codes, and execute fraudulent transactions via web injects.
Execution and Evasion Strategies
Gozi is typically distributed via highly targeted spearphishing campaigns containing weaponized Office documents (macros) or through exploit kits like RIG or Angler. Once executed, Gozi uses advanced evasion techniques; it often stores its configurations and payloads encrypted within the Windows Registry rather than the file system (fileless malware techniques). It achieves persistence by modifying the AppInit_DLLs registry key or utilizing COM hijacking.
Indicators of Compromise & Impact
Once active, Gozi injects its core modules into web browsers (IE, Chrome, Firefox). When a victim navigates to a targeted banking portal, Gozi uses 'web injects' to alter the HTML of the banking site on-the-fly, prompting the user for additional sensitive information (like PINs or secure tokens). Incident responders tracking Gozi should analyze memory for injected browser DLLs, hunt for anomalous outbound traffic to Fast Flux C2 networks, and monitor for hidden registry keys containing large blobs of encrypted data.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1055.001 | Process Injection: Dynamic-link Library Injection | Defense Evasion |
T1185 | Browser Session Hijacking | Collection |
T1546.015 | Event Triggered Execution: Component Object Model Hijacking | Privilege Escalation |
T1111 | Two-Factor Authentication Interception | Credential Access |
T1566.001 | Phishing: Spearphishing Attachment | Initial Access |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_GOZI {
meta:
description = "Detects Gozi (banking_trojan)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "gozi" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Gozi Activity
id: 9e66b7fb7b1c14462ac41a2bd4799098
status: experimental
description: Detects generic indicators of the gozi malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*gozi*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/gozi.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.