Gozi Malware C2 - Detect
ID: gozi-malware-c2
Severity: info
Author: pussycat0x
Tags: ssl,tls,c2,ir,osint,malware,gozi
Description
Section titled “Description”Gozi is a banking Trojan that has been modified to include new obfuscation techniques, to evade detection. Previous breaches involving Gozi in the healthcare sector led to the compromise of data associated with 3.7 million patients costing $5.55 million.
YAML Source
Section titled “YAML Source”id: gozi-malware-c2
info: name: Gozi Malware C2 - Detect author: pussycat0x severity: info description: | Gozi is a banking Trojan that has been modified to include new obfuscation techniques, to evade detection. Previous breaches involving Gozi in the healthcare sector led to the compromise of data associated with 3.7 million patients costing $5.55 million. reference: | https://github.com/thehappydinoa/awesome-censys-queries#gozi-malware-- metadata: verified: "true" max-request: 1 censys-query: 'services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=\*"' tags: ssl,tls,c2,ir,osint,malware,gozissl: - address: "{{Host}}:{{Port}}" matchers: - type: word part: issuer_dn words: - "CN=*, OU=1, O=1, L=1, ST=1, C=XX"
extractors: - type: json json: - ".issuer_dn"# digest: 490a0046304402201b1795acb8124bcef5bbcae18f05f935b7ffefd560aee53c26057a4ac1f0daa50220742074758ca58148ab4883599e733af97b3a90a05ea95c965aa9de8fe23ae40a:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "ssl/c2/gozi-malware-c2.yaml"