New Gozi Campaigns Target Global Brands with sophisticated features

Researchers from Buguroo discovered new Gozi campaigns using new techniques that targeted many banks and financial services worldwide.

The Gozi malware was first spotted in 2007, its source code has been leaked twice in the criminal underground allowing the creation of new sophisticated version. Recently security experts from the IBM X-Force Research spotted a new threat dubbed GozNym Trojan that combines the Gozi ISFB and Nymaim malware abilities.

Researchers from Buguroo discovered new Gozi campaigns that targeted mainly banks and financial services in Spain, Poland, and Japan, the experts also noticed some targeted attacks on users in Canada, Italy, and Australia.

Threat actors behind the new Gozi campaigns are using new techniques spreading the malware in the United States and Western Europe.

In Spain, attackers delivered the malware by exploiting compromised WordPress websites. The malware was spread via malicious links leveraging URL shortening services.

The new campaigns are using dynamic web injection and automatically optimize the selection of mules after profiling the victim.

Web injections are very sophisticated and optimized to avoid detection, according to the report the operators refined the mechanism after an attack has been discovered.

The greatest number of infections was observed in Poland and Japan, threat actors behind the campaign also used servers located in Canada, Italy, and Australia in other Gozi campaigns that hit these countries.

The new campaigns impacted popular brands, including BNP Paribas, Bank of Tokyo, CitiDirect BE, ING Bank, PayPal, Société Générale, BNP Paribas. 

“A detailed analysis of how the webinjects work revealed that when an infected user at a target financial institution attempts a transaction, the C2 (Command and Control server) is notified in real time and sends the user’s browser the information necessary for carrying out fraudulent transfers. What the user sees: The injected code presents a fraudulent

• What the user sees: The injected code presents a fraudulent deposit pending alert requesting the security key to complete the transfer.
• What the bank sees: Hidden underneath, however, is the actual real transfer page being presented to the bank. The unsuspecting user is inadvertently entering their key, not to receive money, but to send their money to a “mule” designated by the malware operators”

The victim is inadvertently entering the requested information and sends money to one of the selected “mule.”

The new Gozi campaigns also revealed that, for certain versions of the webinjects, the Trojan would send a kind of biometric information to the control panel. The information includes details on how long the user takes to move from an input field to the next one, this kind of information is precious to bypass protection systems that leverage user behavior.

The experts noticed some similarities between the webinjects used in these new Gozi campaigns and the one implemented by a malware family dubbed Gootkit.

“The webinjects used in these campaigns also revealed key similarities to GOOTKIT, not just related to the code and the techniques used, but also to the dates and times corresponding to its updates in the corresponding ATS panels—prompted by affected companies launching security measures to prevent the malware’s operation.” states the report.”This development points to the professionalization of malware services trend. The services are sold underground by independent businesses and are able to deliver malicious code for use by different organizations, families of malware and campaigns.” 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Gozi campaigns, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]