nuclei-templates/ssl/c2/gozi-malware-c2.yaml

30 lines
1.1 KiB
YAML

id: gozi-malware-c2
info:
name: Gozi Malware C2 - Detect
author: pussycat0x
severity: info
description: |
Gozi is a banking Trojan that has been modified to include new obfuscation techniques, to evade detection. Previous breaches involving Gozi in the healthcare sector led to the compromise of data associated with 3.7 million patients costing $5.55 million.
reference: |
https://github.com/thehappydinoa/awesome-censys-queries#gozi-malware--
metadata:
verified: "true"
max-request: 1
censys-query: 'services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=\*"'
tags: c2,ir,osint,gozi,malware,ssl
ssl:
- address: "{{Host}}:{{Port}}"
matchers:
- type: word
part: issuer_dn
words:
- "CN=*, OU=1, O=1, L=1, ST=1, C=XX"
extractors:
- type: json
json:
- ".issuer_dn"
# digest: 4a0a00473045022100fec5b255e9ae7881f926ca552b5e98777fabfc753a73d93a85c5d34e385d1672022022286982bfe02e53112894f90410f67017f94a896d9295d1e4a692ac62e3fbe5:922c64590222798bb761d5b6d8e72950