A widely-distributed banking trojan has once again been updated with new attack techniques as cyber criminals look to ensure their malware is as effective – and discreet – as possible in efforts to steal banking credentials from customers of various financial institutions. The Gozi ISFB banking trojan is now being distributed with the aid of the ‘Dark Cloud’ botnet, a criminal service which is being used for the distribution of several malware families, including Gozi and Nymaim. According to researchers at Cisco Talos, those behind Gozi have leveraged the Dark Cloud botnet to help launch campaigns over the last six months.
The Dark Cloud botnet uses its army of hijacked computers to change the domain name server (DNS) of hosted activities every few minutes, making it more difficult for anyone looking to identify the hackers to track them down. This latest around of Gozi attacks continue to use the previously identified technique of conversation hijacking, with the attackers creating emails which look to be part of an ongoing thread in an attempt to increase the likelihood the victim will trust the sender and download the malicious attachment equipped with the malware downloader.
Read more about how botnet distribution has been added to attacks which are crafted to hijack email threads on ZDNet.