Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Gozi Banking Trojan Campaigns Target Global Brands

Gozi, one of the oldest banking Trojans out there, is using highly elaborated webinjects along with behavioral biometrics for fraud protection bypass in new campaigns targeting global brands, buguroo researchers warn.

Gozi, one of the oldest banking Trojans out there, is using highly elaborated webinjects along with behavioral biometrics for fraud protection bypass in new campaigns targeting global brands, buguroo researchers warn.

Discovered in 2007, Gozi has had its source code leaked twice, which has led to the creation of new variants, including the newly discovered GozNym, which borrows capabilities from the Nymaim Trojan too. GozNym has been already spotted in various campaigns, initially targeting users in the United States and Canada, and then migrating to Europe.

The new Gozi campaigns are focused mainly on banks and financial services in Spain, Poland, and Japan, but some target users in Canada, Italy, and Australia. According to researchers, Gozi’s operators are using new techniques that haven’t been perfected. As soon as that happens, however, the infection campaigns will spread to the United States and Western Europe.

In Spain, the malware was being distributed via malicious links leveraging URL shortening services, which led to compromised WordPress sites. The number of affected Spanish companies is relatively low, at least when compared to those in Poland and Japan, researchers say. The servers used for the distribution of configurations and webinjects for campaigns in Canada, Italy and Australia were inactive or disabled at the time of the research.

Some of the brands impacted in these campaigns include PayPal, CitiDirect BE, ING Bank, Société Générale, BNP Paribas, the Bank of Tokyo and many more, buguroo reveals in a report. These attacks reveal that Gozi continues to evolve, as it is now using dynamic web injection. It uses a high degree of automation to optimize the selection of mules after profiling the victim: the most important targets might even see the live intervention of operators, researchers say.

Gozi uses web injection that is very elaborate and optimized to avoid detection, which allows it to go virtually undetected. Furthermore, its operators immediately refine the code after an attack has been discovered. The updated code ensures that the defensive measures by institutions under attack are rendered useless.

When the infected user attempts a transaction, the malware’s command and control (C&C) server is notified in real time and immediately serves the user false information necessary to carry out fraudulent transfers. The user sees a deposit-pending alert requesting the security key to complete the transfer but the real transfer page that is present to the bank is hidden beneath it. Thus, the unsuspecting user is inadvertently entering the requested key and sends money to a “mule.”

The security researchers observed that Gozi is delivering both automated and manual customized responses from the control panel. Some users are assigned to a specific mule in a particular country, and the operator decides how much money would be transferred. Other users are assigned to a random mule and a fixed amount is transferred. In the end, it all depends on the value of the target, as operators assign greater operations to more reliable mules, researchers say.

Advertisement. Scroll to continue reading.

The new campaigns also revealed that, for certain versions of the webinjects, the Trojan would send a kind of biometric information to the control panel, including details on how long the user takes to move from an input field to the next or the time between keystrokes. Based on these values, the malware then attempts to bypass protection systems that leverage user behavior and fills the necessary fields to perform fraudulent transfers.

The webinjects used in these campaigns show similarities to a malware family called Gootkit, but this is not surprising, since Gozi has shared webinjects with other malware in the past. The similarities between Gozi and GootKit webinjects, however, weren’t limited to code and techniques, but also to the dates and times corresponding to updates in the corresponding automatic transfer system (ATS) panels once impacted companies make changes to hinder Trojan’s operations.

“These facts—the complexity of these webinjects, their detailed elaboration and the fast updates once they stop functioning properly—once again point to the trend toward professionalization of malware services. These are probably sold by independent underground businesses that specialize in delivering malicious code for use by different organizations and made available, for a price, for multiple families of malware and campaigns,” the report reads.

Related: Multiple Banking Trojans Assault Users in Canada

Related: Gozi Malware Creator Sentenced to Time Served

 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.