nuclei-templates/ssl/c2/gozi-malware-c2.yaml

id: gozi-malware-c2

info:
  name: Gozi Malware C2 - Detect
  author: pussycat0x
  severity: info
  description: |
    Gozi is a banking Trojan that has been modified to include new obfuscation techniques, to evade detection. Previous breaches involving Gozi in the healthcare sector led to the compromise of data associated with 3.7 million patients costing $5.55 million.
  reference: |
    https://github.com/thehappydinoa/awesome-censys-queries#gozi-malware--
  metadata:
    verified: "true"
    max-request: 1
    censys-query: 'services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=\*"'
  tags: ssl,tls,c2,ir,osint,malware,gozi
ssl:
  - address: "{{Host}}:{{Port}}"
    matchers:
      - type: word
        part: issuer_dn
        words:
          - "CN=*, OU=1, O=1, L=1, ST=1, C=XX"

    extractors:
      - type: json
        json:
          - ".issuer_dn"
# digest: 4b0a00483046022100988d6f97110fe985e3492f98a83c8482f7b2f986cdcefaaecb975f42820fd8cb0221008abdf93aaf157daf62520f15c214ff2cd2142cb1f4da8383eb3d93f71568d91c:922c64590222798bb761d5b6d8e72950
Update gozi-malware-c2.yaml 2023-08-01 11:43:57 +00:00			`id: gozi-malware-c2`
Gozi Malware - Detect 2023-06-14 14:23:39 +00:00
			`info:`
Update gozi-malware-c2.yaml 2023-08-01 11:43:57 +00:00			`name: Gozi Malware C2 - Detect`
Gozi Malware - Detect 2023-06-14 14:23:39 +00:00			`author: pussycat0x`
			`severity: info`
			`description: \|`
lint -fix 2023-06-14 14:27:16 +00:00			`Gozi is a banking Trojan that has been modified to include new obfuscation techniques, to evade detection. Previous breaches involving Gozi in the healthcare sector led to the compromise of data associated with 3.7 million patients costing $5.55 million.`
Gozi Malware - Detect 2023-06-14 14:23:39 +00:00			`reference: \|`
			`https://github.com/thehappydinoa/awesome-censys-queries#gozi-malware--`
			`metadata:`
TemplateMan Update [Wed Jun 21 21:03:53 UTC 2023] :robot: 2023-06-21 21:03:53 +00:00			`verified: "true"`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 1`
			`censys-query: 'services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=\*"'`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: ssl,tls,c2,ir,osint,malware,gozi`
Gozi Malware - Detect 2023-06-14 14:23:39 +00:00			`ssl:`
			`- address: "{{Host}}:{{Port}}"`
			`matchers:`
			`- type: word`
			`part: issuer_dn`
			`words:`
			`- "CN=*, OU=1, O=1, L=1, ST=1, C=XX"`

			`extractors:`
			`- type: json`
			`json:`
			`- ".issuer_dn"`
Auto Template Signing [Fri Dec 8 07:58:29 UTC 2023] :robot: 2023-12-08 07:58:29 +00:00			`# digest: 4b0a00483046022100988d6f97110fe985e3492f98a83c8482f7b2f986cdcefaaecb975f42820fd8cb0221008abdf93aaf157daf62520f15c214ff2cd2142cb1f4da8383eb3d93f71568d91c:922c64590222798bb761d5b6d8e72950`