Gozi

Category: banking_trojan · Aliases: None known · Sample count (EMBER 2018): 113 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Gozi (also known as Ursnif or ISFB) is one of the most sophisticated, enduring, and financially devastating banking trojans in cybersecurity history.

Understanding Gozi (Ursnif)
For the general public, a Gozi infection results in emptied bank accounts and stolen identities. For cybersecurity experts, Gozi represents a masterclass in malware engineering. Its leaked source code in 2010 spawned numerous variants, making it a cornerstone of modern financial cybercrime. It is specifically designed to steal banking credentials, intercept two-factor authentication (2FA) codes, and execute fraudulent transactions via web injects.

Execution and Evasion Strategies
Gozi is typically distributed via highly targeted spearphishing campaigns containing weaponized Office documents (macros) or through exploit kits like RIG or Angler. Once executed, Gozi uses advanced evasion techniques; it often stores its configurations and payloads encrypted within the Windows Registry rather than the file system (fileless malware techniques). It achieves persistence by modifying the AppInit_DLLs registry key or utilizing COM hijacking.

Indicators of Compromise & Impact
Once active, Gozi injects its core modules into web browsers (IE, Chrome, Firefox). When a victim navigates to a targeted banking portal, Gozi uses 'web injects' to alter the HTML of the banking site on-the-fly, prompting the user for additional sensitive information (like PINs or secure tokens). Incident responders tracking Gozi should analyze memory for injected browser DLLs, hunt for anomalous outbound traffic to Fast Flux C2 networks, and monitor for hidden registry keys containing large blobs of encrypted data.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1055.001Process Injection: Dynamic-link Library InjectionDefense Evasion
T1185Browser Session HijackingCollection
T1546.015Event Triggered Execution: Component Object Model HijackingPrivilege Escalation
T1111Two-Factor Authentication InterceptionCredential Access
T1566.001Phishing: Spearphishing AttachmentInitial Access

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_GOZI {
    meta:
        description = "Detects Gozi (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "gozi" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Gozi Activity
id: 9e66b7fb7b1c14462ac41a2bd4799098
status: experimental
description: Detects generic indicators of the gozi malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*gozi*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Immediately sever the endpoint's network connection to halt active financial theft and data exfiltration.
  2. Force a mandatory password reset for all financial, corporate, and personal accounts accessed from the infected host.
  3. Capture a forensic image of the system's RAM; memory analysis is often the only way to extract Gozi's decrypted web injects and C2 configuration.
  4. Perform a clean installation (reimage) of the operating system, as Gozi's deep system hooks and fileless registry persistence are extremely difficult to eradicate manually.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not attempt to remediate a Gozi infection using standard AV tools; its advanced rootkit capabilities often hide its true presence.
  2. Do not log into any accounts on the infected machine, as the web injects and keyloggers are highly effective at capturing real-time credentials.

References & External Analysis

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/gozi.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.