Also known as Gozi2/Ursnif, sometimes Rovnix, ISFB reappeared in early 2013 attracting some attention from the research community and a lot of confusion in the naming convention and to what was being analyzed. Then suddenly, it went dark again.
However, dark does not mean dead. With attention of the world focused on Dridex and Dyre, ISFB silently evolved, hiding from the spotlight to become one of the most complex and fully featured banking trojans out there. In this paper, we want to break the silence surrounding ISFB, giving a full description of the capabilities of this malware which are beyond those of the average banking trojan: 4 ways of communicating with the C&C, half a dozen tricks to steal your money, the ability to create movies of your activity and naturally numerous ways of manipulating your web traffic.
It all comes as a very nicely designed piece of software, with a custom configuration format, beautifully fitted into the malware itself, uncommonly used crypto and rather clean code, making it an interesting target for an analyst.
While it’s perfect target for a an analyst, it’s broad capabilities make it a weapon of choice for a bad guys, making it a one the most popular bankers alongside vawtrak and ZeuS derivatives.
But, in today’s world, malware is more than just a binary sitting on your computer, but an entire infrastructure supporting it in the backend. We will therefore also provide an overview of the architecture used for that purpose, including the whole chain of tiers that lead us to the C&C server,
The paper will be backed up by a set of scripts and signatures (IoCs) that will help in hunting for this threat, extracting interesting pieces of configuration and webinjects it self.