Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Gozi Banking Trojan Targets Windows 10’s Edge Browser

A new Gozi Trojan build has been observed in the wild, modified to inject malicious code into Windows 10’s Edge browser, IBM X-Force researchers warn.

A new Gozi Trojan build has been observed in the wild, modified to inject malicious code into Windows 10’s Edge browser, IBM X-Force researchers warn.

Windows 10, Microsoft’s latest operating system, is offered to users as a free upgrade, which has already helped it become the second largest version of Windows in terms of market share. As a result, criminals have been targeting Windows 10 machines, which includes the Edge Browser.

The Gozi Trojan is the latest observed to target Microsoft Edge, after Dyre, Ramnit, and Tinba v3 were spotted doing so before. The operators behind Gozi managed to find a way to use an older code injection mechanism to inject code into the Edge browser’s process, MicrosoftEdgeCP.exe, IBM’s Or Safran notes in a recent post.

Discovered in 2007, Gozi is one of the oldest banking Trojans in the wild, with its first variant having its source code leaked online in late 2010. The second variant appeared in late 2010, while a Prinimalka variation was tied to a massive cyber-fraud campaign against U.S. financial institutions two years later.

In 2013, Gozi’s developers added a Master Boot Record (MBR) rootkit for high persistency, yet law enforcement agencies managed to capture and charge three individuals in the Gozi gang during the same year. In September 2015, a Latvian cybercriminal admitted to have written part of the code for Gozi, after it was arrested in November 2012 and spent 10 months in jail in Latvia before being extradited to the United States.

Gozi has seen a series of updates over the past year as well, with its operators changing the malware’s webinjection schemes and capabilities. Furthermore, the Trojan was observed attacking banks in more countries, as well employing injected full-page replacements into the communication flow with the bank’s servers in attacks on U.K. banks.

In previous infections with Gozi, every process created by explorer.exe or one of its child processes was patched to ensure infection prevalence, keylogging ability, and other malicious control. In the case of Windows 10, Gozi’s developers use a number of hooks on the kernel32.dll to inject code into the browser.

While in previous Windows versions the Trojan leveraged explorer.exe to inject code in the browser, since that was the parent process of the browser process, Gozi now leverages RuntimeBroker.exe, the parent process of the Edge browser in Windows 10 machines. However, it also injects malicious code into explorer.exe, as well as into the processes of other browsers, including iexplore.exe, firefox.exe, chrome.exe, and opera.exe.

Advertisement. Scroll to continue reading.

The malicious code hooks the RuntimeBroker.exe process with the Gozi-style patches, which results in every child process of the poisoned RuntimeBroker.exe being injected with the code. There are three main functions hooked by the malware, namely kernel32!CreateProcessA, kernel32!CreateProcessW, and kernel32!CreateProcessAsUserW.

IBM X-Force researchers have discovered that the current Gozi build is being distributed in the United States, the United Kingdom, and South Africa. The good news, however, is the fact that the analyzed sample was detected by 33 out of 55 security tools in VirusTotal, which means that users are relatively safe.

In November 2015, Microsoft updated the Edge browser  to prevent code injection into it, by allowing only components that are signed by Microsoft and WHQL-signed device drivers to load. The company also introduced EdgeHTML 13, a new version of the web browser’s rendering engine, to further boost browser’s security.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.