GoziAT

distributing large volumes (of spam, exploit kit, bundle…)

It is still distributed by spam in Italy today.

The operators are known to use that feature to maintain a constant feed of fresh login credentials for SMTP accounts, plus a list of valid emails to spam.

the malware injects itself into the web browser and capture every HTTP POST request, which makes credential and stealing credit card easy.

Victims fingerprinting : the malware can collect local information about the victim computer, OS type, IP address, computer name, list of Anti-Virus applications, check if the computer is attached to a Domain Controller etc.

the malware injects itself into the web browser and capture every HTTP POST request, which makes credential and stealing credit card easy.

The main feature of the module is injecting code into the web browser that will monitor which websites the victims are visiting. If a banking website is identified, ISFB injects a small snippet of JavaScript into the online banking website to steal the login credentials.

Some used RC6 some Serpent for the same bot version.

The RM2 branch used to have a static CnC beacon format. The bot sends its requests to a URL path like “/images/[encoded data].[avi|bmp|gif|jpeg]”

While Expro distributes in a very noisy way, he concentrated a lot of his efforts into hiding his backend behind a layer of proxies, making him able to survive for very long time.

with the first integration of Tor onion as available C2.

File stealer: A module that makes exfiltration of specific files from the victims hard drive possible.