Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Gozi Banking Trojan Targets Windows 10’s Edge Browser

A new Gozi Trojan build has been observed in the wild, modified to inject malicious code into Windows 10’s Edge browser, IBM X-Force researchers warn.

A new Gozi Trojan build has been observed in the wild, modified to inject malicious code into Windows 10’s Edge browser, IBM X-Force researchers warn.

Windows 10, Microsoft’s latest operating system, is offered to users as a free upgrade, which has already helped it become the second largest version of Windows in terms of market share. As a result, criminals have been targeting Windows 10 machines, which includes the Edge Browser.

The Gozi Trojan is the latest observed to target Microsoft Edge, after Dyre, Ramnit, and Tinba v3 were spotted doing so before. The operators behind Gozi managed to find a way to use an older code injection mechanism to inject code into the Edge browser’s process, MicrosoftEdgeCP.exe, IBM’s Or Safran notes in a recent post.

Discovered in 2007, Gozi is one of the oldest banking Trojans in the wild, with its first variant having its source code leaked online in late 2010. The second variant appeared in late 2010, while a Prinimalka variation was tied to a massive cyber-fraud campaign against U.S. financial institutions two years later.

In 2013, Gozi’s developers added a Master Boot Record (MBR) rootkit for high persistency, yet law enforcement agencies managed to capture and charge three individuals in the Gozi gang during the same year. In September 2015, a Latvian cybercriminal admitted to have written part of the code for Gozi, after it was arrested in November 2012 and spent 10 months in jail in Latvia before being extradited to the United States.

Gozi has seen a series of updates over the past year as well, with its operators changing the malware’s webinjection schemes and capabilities. Furthermore, the Trojan was observed attacking banks in more countries, as well employing injected full-page replacements into the communication flow with the bank’s servers in attacks on U.K. banks.

In previous infections with Gozi, every process created by explorer.exe or one of its child processes was patched to ensure infection prevalence, keylogging ability, and other malicious control. In the case of Windows 10, Gozi’s developers use a number of hooks on the kernel32.dll to inject code into the browser.

While in previous Windows versions the Trojan leveraged explorer.exe to inject code in the browser, since that was the parent process of the browser process, Gozi now leverages RuntimeBroker.exe, the parent process of the Edge browser in Windows 10 machines. However, it also injects malicious code into explorer.exe, as well as into the processes of other browsers, including iexplore.exe, firefox.exe, chrome.exe, and opera.exe.

The malicious code hooks the RuntimeBroker.exe process with the Gozi-style patches, which results in every child process of the poisoned RuntimeBroker.exe being injected with the code. There are three main functions hooked by the malware, namely kernel32!CreateProcessA, kernel32!CreateProcessW, and kernel32!CreateProcessAsUserW.

IBM X-Force researchers have discovered that the current Gozi build is being distributed in the United States, the United Kingdom, and South Africa. The good news, however, is the fact that the analyzed sample was detected by 33 out of 55 security tools in VirusTotal, which means that users are relatively safe.

In November 2015, Microsoft updated the Edge browser  to prevent code injection into it, by allowing only components that are signed by Microsoft and WHQL-signed device drivers to load. The company also introduced EdgeHTML 13, a new version of the web browser’s rendering engine, to further boost browser’s security.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.