Gozi, the infamous and widely-distributed banking malware, is back again in a new campaign designed to boost its distribution and generate more revenues for its operators. In efforts to expand attacks, the hackers behind Gozi were found leveraging the elusive Dark Cloud botnet.

Dark Cloud was first uncovered in 2016 and was reportedly created to host carding sites. However, the botnet has since expanded. According to security experts at cybersecurity firm Cisco Talos, who uncovered the new Gozi campaign over the last few years, the Dark Cloud botnet has been used by hackers involved in a “laundry list of cybercriminal activities.”

The botnet uses its army of hijacked and enslaved systems to continuously change the hosting domain name server every few minutes. This in turn helps hackers evade detection while boosting their malicious activities.

Unlike previous campaigns, hackers behind the Gozi malware now appear to be going after specific targets. The recent Gozi distribution campaigns were also observed to be relatively low-volume, with hackers opting to work under the radar by not sending out a large volume of spam emails. Instead, Cisco Talos researchers found the hackers behind Gozi were making an effort to craft convincing emails that would lure more victims.

“Our engineers have discovered that while the Gozi ISFB campaigns are ongoing, the distribution and C2 infrastructure does not appear to stay active for extended periods, making analysis of older campaigns and samples more difficult,” Cisco Talos security researchers Edmund Brumaghin and Holger Unterbrink wrote in a blog, which also contains contributions from Adam Weller, one of the company’s engineers.

Chinese Hackers
A man types on a computer keyboard in Warsaw in this illustration file picture, Feb. 28, 2013. Reuters/Kacper Pempel/Files

“The attackers appear to be very quickly moving to new domains and IP addresses, not only for each campaign, but also for individual emails that are part of the same campaign. The campaigns that Talos analyzed took place during the fourth quarter of 2017, and have continued into 2018, with new campaigns being launched every week in an attempt to ensnare more victims and generate revenue for the attackers,” the researchers said.

The researchers also discovered the hackers behind Gozi experimenting with other payloads, such as CryptoShuffler and SpyEye. While CryptoShuffler is a cryptocurrency mining malware targeting popular digital currencies like bitcoin, ethereum, zcash and others, SpyEye is an infamous banking malware which was first released in the wild in 2009. Gozi hackers’ experimentation with these payloads may be indicative of further malware upgrades on the horizon.

“Gozi ISFB is a banking trojan that has been used extensively by attackers who are targeting organizations around the world. It has been around for the past several years, and ongoing campaigns indicate that it will not be going away any time soon,” Cisco Talos researchers said. “Attackers are continuing to modify their techniques and finding effective new ways to obfuscate their malicious server infrastructure in an attempt to make analysis and tracking more difficult. Talos has identified the Dark Cloud botnet being used for a multitude of malicious purposes.”