Gozi Malware - Detect
parent
1e0744f23b
commit
4ca027ff71
|
@ -0,0 +1,28 @@
|
||||||
|
id: gozi-malware
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Gozi Malware - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Gozi is a banking Trojan that has been modified to include new obfuscation techniques, to evade detection. Previous breaches involving Gozi in the healthcare sector led to the compromise of data associated with 3.7 million patients costing $5.55 million.
|
||||||
|
reference: |
|
||||||
|
https://github.com/thehappydinoa/awesome-censys-queries#gozi-malware--
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
censys-query: 'services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=\*"'
|
||||||
|
tags: c2,ir,osint,gozi,malware,ssl
|
||||||
|
|
||||||
|
ssl:
|
||||||
|
- address: "{{Host}}:{{Port}}"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: issuer_dn
|
||||||
|
words:
|
||||||
|
- "CN=*, OU=1, O=1, L=1, ST=1, C=XX"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
json:
|
||||||
|
- ".issuer_dn"
|
Loading…
Reference in New Issue