Gozi Banking Trojan Targets Windows 10’s Edge Browser

A new Gozi Trojan build has been observed in the wild, modified to inject malicious code into Windows 10’s Edge browser, IBM X-Force researchers warn.

Windows 10, Microsoft’s latest operating system, is offered to users as a free upgrade, which has already helped it become the second largest version of Windows in terms of market share. As a result, criminals have been targeting Windows 10 machines, which includes the Edge Browser.

The Gozi Trojan is the latest observed to target Microsoft Edge, after Dyre, Ramnit, and Tinba v3 were spotted doing so before. The operators behind Gozi managed to find a way to use an older code injection mechanism to inject code into the Edge browser’s process, MicrosoftEdgeCP.exe, IBM’s Or Safran notes in a recent post.

Discovered in 2007, Gozi is one of the oldest banking Trojans in the wild, with its first variant having its source code leaked online in late 2010. The second variant appeared in late 2010, while a Prinimalka variation was tied to a massive cyber-fraud campaign against U.S. financial institutions two years later.

In 2013, Gozi’s developers added a Master Boot Record (MBR) rootkit for high persistency, yet law enforcement agencies managed to capture and charge three individuals in the Gozi gang during the same year. In September 2015, a Latvian cybercriminal admitted to have written part of the code for Gozi, after it was arrested in November 2012 and spent 10 months in jail in Latvia before being extradited to the United States.

Gozi has seen a series of updates over the past year as well, with its operators changing the malware’s webinjection schemes and capabilities. Furthermore, the Trojan was observed attacking banks in more countries, as well employing injected full-page replacements into the communication flow with the bank’s servers in attacks on U.K. banks.

In previous infections with Gozi, every process created by explorer.exe or one of its child processes was patched to ensure infection prevalence, keylogging ability, and other malicious control. In the case of Windows 10, Gozi’s developers use a number of hooks on the kernel32.dll to inject code into the browser.

While in previous Windows versions the Trojan leveraged explorer.exe to inject code in the browser, since that was the parent process of the browser process, Gozi now leverages RuntimeBroker.exe, the parent process of the Edge browser in Windows 10 machines. However, it also injects malicious code into explorer.exe, as well as into the processes of other browsers, including iexplore.exe, firefox.exe, chrome.exe, and opera.exe.

The malicious code hooks the RuntimeBroker.exe process with the Gozi-style patches, which results in every child process of the poisoned RuntimeBroker.exe being injected with the code. There are three main functions hooked by the malware, namely kernel32!CreateProcessA, kernel32!CreateProcessW, and kernel32!CreateProcessAsUserW.

IBM X-Force researchers have discovered that the current Gozi build is being distributed in the United States, the United Kingdom, and South Africa. The good news, however, is the fact that the analyzed sample was detected by 33 out of 55 security tools in VirusTotal, which means that users are relatively safe.

In November 2015, Microsoft updated the Edge browser  to prevent code injection into it, by allowing only components that are signed by Microsoft and WHQL-signed device drivers to load. The company also introduced EdgeHTML 13, a new version of the web browser’s rendering engine, to further boost browser’s security.