Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Gozi Banking Trojan Targets Windows 10’s Edge Browser

A new Gozi Trojan build has been observed in the wild, modified to inject malicious code into Windows 10’s Edge browser, IBM X-Force researchers warn.

A new Gozi Trojan build has been observed in the wild, modified to inject malicious code into Windows 10’s Edge browser, IBM X-Force researchers warn.

Windows 10, Microsoft’s latest operating system, is offered to users as a free upgrade, which has already helped it become the second largest version of Windows in terms of market share. As a result, criminals have been targeting Windows 10 machines, which includes the Edge Browser.

The Gozi Trojan is the latest observed to target Microsoft Edge, after Dyre, Ramnit, and Tinba v3 were spotted doing so before. The operators behind Gozi managed to find a way to use an older code injection mechanism to inject code into the Edge browser’s process, MicrosoftEdgeCP.exe, IBM’s Or Safran notes in a recent post.

Discovered in 2007, Gozi is one of the oldest banking Trojans in the wild, with its first variant having its source code leaked online in late 2010. The second variant appeared in late 2010, while a Prinimalka variation was tied to a massive cyber-fraud campaign against U.S. financial institutions two years later.

In 2013, Gozi’s developers added a Master Boot Record (MBR) rootkit for high persistency, yet law enforcement agencies managed to capture and charge three individuals in the Gozi gang during the same year. In September 2015, a Latvian cybercriminal admitted to have written part of the code for Gozi, after it was arrested in November 2012 and spent 10 months in jail in Latvia before being extradited to the United States.

Gozi has seen a series of updates over the past year as well, with its operators changing the malware’s webinjection schemes and capabilities. Furthermore, the Trojan was observed attacking banks in more countries, as well employing injected full-page replacements into the communication flow with the bank’s servers in attacks on U.K. banks.

In previous infections with Gozi, every process created by explorer.exe or one of its child processes was patched to ensure infection prevalence, keylogging ability, and other malicious control. In the case of Windows 10, Gozi’s developers use a number of hooks on the kernel32.dll to inject code into the browser.

While in previous Windows versions the Trojan leveraged explorer.exe to inject code in the browser, since that was the parent process of the browser process, Gozi now leverages RuntimeBroker.exe, the parent process of the Edge browser in Windows 10 machines. However, it also injects malicious code into explorer.exe, as well as into the processes of other browsers, including iexplore.exe, firefox.exe, chrome.exe, and opera.exe.

The malicious code hooks the RuntimeBroker.exe process with the Gozi-style patches, which results in every child process of the poisoned RuntimeBroker.exe being injected with the code. There are three main functions hooked by the malware, namely kernel32!CreateProcessA, kernel32!CreateProcessW, and kernel32!CreateProcessAsUserW.

IBM X-Force researchers have discovered that the current Gozi build is being distributed in the United States, the United Kingdom, and South Africa. The good news, however, is the fact that the analyzed sample was detected by 33 out of 55 security tools in VirusTotal, which means that users are relatively safe.

In November 2015, Microsoft updated the Edge browser  to prevent code injection into it, by allowing only components that are signed by Microsoft and WHQL-signed device drivers to load. The company also introduced EdgeHTML 13, a new version of the web browser’s rendering engine, to further boost browser’s security.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...