30 lines
890 B
YAML
30 lines
890 B
YAML
id: gozi-malware-c2
|
|
|
|
info:
|
|
name: Gozi Malware C2 - Detect
|
|
author: pussycat0x
|
|
severity: info
|
|
description: |
|
|
Gozi is a banking Trojan that has been modified to include new obfuscation techniques, to evade detection. Previous breaches involving Gozi in the healthcare sector led to the compromise of data associated with 3.7 million patients costing $5.55 million.
|
|
reference: |
|
|
https://github.com/thehappydinoa/awesome-censys-queries#gozi-malware--
|
|
metadata:
|
|
censys-query: 'services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=\*"'
|
|
max-request: 1
|
|
verified: "true"
|
|
tags: c2,ir,osint,gozi,malware,ssl
|
|
|
|
ssl:
|
|
- address: "{{Host}}:{{Port}}"
|
|
|
|
matchers:
|
|
- type: word
|
|
part: issuer_dn
|
|
words:
|
|
- "CN=*, OU=1, O=1, L=1, ST=1, C=XX"
|
|
|
|
extractors:
|
|
- type: json
|
|
json:
|
|
- ".issuer_dn"
|