A new version of Gozi banking Trojan has been detected in active campaigns. It is now more effective than before and targets a majority of global brands. The role of malicious human operators during the infection process is increased. Gozi Trojan’s new technique can bypass some behavioral biometric defenses.
The currently active malicious campaigns have taken place in Poland, Japan and Spain according to threat intelligence experts at buguroo Labs. They claim that U.S. and Western Europe are expected to be among the next targeted countries. Global financial organizations as PayPal, CitiDirect BE, ING Bank, Société Générale, BNP Paribas, the Bank of Tokyo and many more are objects of Gozi Trojan attacks.
Details of Gozi Banking Trojan
Each time an infected user at a target financial institution undertake a financial transaction a notification in the Command and Control server of the threat appears. All happens in real time, so the user unnoticeably receives information necessary for carrying out fraudulent transfers in the browser. What the user sees is a fraudulent deposit-pending alert that requests the security key to complete the transfer. The real transfer page stays underneath. Once the victim enters the key, the money are sent to the crooks’ “mule”.
Here is what more threat intelligence experts at buguroo Labs explained:
“As the “drop_iban” field below indicates, the account information of the infected user can include the SWIFT BIC and account information used for international money transfers. This suggests—but by no means confirms—that this attack might underlie the spate of high-value fraudulent transfers recently reported by some countries’ central banks.“
Further Details of the Working Mechanism of Gozi Banking Trojan
The analysis of Gozi shows that the latest variant of the threat leaves the web fraud defense tools highly vulnerable. It is due to the advanced techniques used by Gozi banking Trojan. It implements elaborate and very well optimized web injection attack. Such kind of attack is realized through malicious DLLs loaded in the user’s browser. Thus when the victim is visiting a banking portal, a fake page appears on top instead. Each Gozi module supports Web injection package. Gozi Trojan can steal sensitive information entered into web data forms by the user and has keylogging functions.
Human Operator Behind Some Web Injection Attacks
Behind some of the Web injection attack stays a crook. These particular situations are when the Trojan targets high-valued business accounts. The human operator decides in real time to what “mule” account to transfer the stolen money and what amount.
Gozi Trojan remains automated for smaller accounts. In these cases, the stolen cash is sent to a random “mule” account, and the payment sum is fixed.
Gozi Trojan Sends Biometric Information to Its Control Panel
In attempt to bypass system protection based on biometrics of user behavior, the malware sends biometric information to its control panel. The collected biometric information can be the time it takes to the user to move from an input field to the next step or the time between keystrokes. The malware uses these values in order to perform the fraudulent transfer. Specific companies are attacked by means of webinjects that collect biometric information.