New Gozi malware campaigns, relying on upgraded attack techniques, are targeting multiple financial institutions and services worldwide, alarm researchers from the Buguroo security firm.
The Gozi malware was detected for the first time way back in 2007 and, since then, its source code has been leaked twice online leading to the creation of newer and improved variants. Security experts from the IBM X-Force Research have recently come across one of this versions. The new threat is named GozNym Trojan and it is a combination between the Nymaim malware and the Gozi ISFB.
Buguroo researchers have noticed the new Gozi waves hitting primarily banks and financial services in Poland, Spain and Japan. And yet, attacks against Canadian, Italian and Australian users were also observed.
The Gozi malware developers are now utilizing more sophisticated techniques to distribute their threat in Western Europe and the US. In Spain, for instance, the malware actors compromised the WordPress webpage for their malicious actions, spreading Gozi via phony links leveraging URL shortening services.
Gozi`s new campaigns are using dynamic web injection and automatically optimize the selection of mules after profiling the victim. The malware authors perfected the attack method after one of their attacks was exposed. The web injections are now way improved and specially optimized to avoid being detected.
Poland and Japan are the countries which have experienced most of the attacks. However, the malware authors are using server hosted in Italy, Canada and Australia for those Gozi waves which are focused on these countries. These new campaigns have impacted some very popular global brands, such as, Bank of Tokyo, BNP Paribas, Société Générale, ING Bank, BNP Paribas, CitiDirect BE, PayPal etc.
According to the Buguroo Threat Intelligence Labs` report, this is how webinjects work:
“A detailed analysis of how the webinjects work revealed that when an infected user at a target financial institution attempts a transaction, the C2 (Command and Control server) is notified in real time and sends the user’s browser the information necessary for carrying out fraudulent transfers. What the user sees: The injected code presents a fraudulent:
– What the user sees: The injected code presents a fraudulent deposit pending alert requesting the security key to complete the transfer.
– What the bank sees: Hidden underneath, however, is the actual real transfer page being presented to the bank. The unsuspecting user is inadvertently entering their key, not to receive money, but to send their money to a “mule” designated by the malware operators.”
The victim is inadvertently entering the requested information and sends money to one of the selected “mule”.
Moreover, the Trojan is able to send a kind of biometric information to the control panel for some variants of the webinjects. The information shows crooks how long it takes for a user to move from an input field to the next one. Knowing this makes it a lot easier for them to bypass protection systems that leverage user behavior.
Researchers also discovered that the webinjects used in these Gozi campaigns have a lot in common with the ones the Gootkit malware family is relying on.
“The webinjects used in these campaigns also revealed key similarities to GOOTKIT, not just related to the code and the techniques used, but also to the dates and times corresponding to its updates in the corresponding ATS panels—prompted by affected companies launching security measures to prevent the malware’s operation.” – also states the report – ”This development points to the professionalization of malware services trend. The services are sold underground by independent businesses and are able to deliver malicious code for use by different organizations, families of malware and campaigns.”