From news.sophos.com
Gozi, also known as Ursnif or ISFB, is a banking trojan which has been around for a long time and currently multiple variations of the trojan are circulating after its source code got leaked. Every variant that is distributed has interesting aspects, with Gozi version 3 the most eye-catching in the field of detection evasion.
In this blog we will discuss some of the techniques which Gozi V3 uses in an attempt to bypass endpoint defense. Additionally we will also discuss how researchers can use these evasion techniques to their advantage, since they produce a unique and distinctive behavioral pattern.