Banking trojan Gozi resurfaces with new tactics

Twelve-year-old trojan malware, Gozi, has resurfaced with new techniques to steal users’ financial credentials. Using common strategies such as keylogging, recording information and extracting saved passwords, hackers use the data to steal identities and user’s funds.

The trojan in the past targeted users who downloaded compromised software or paired with browser hackers to exploit further malware such as adware. Users affected included Business customers, researchers and financial institutions.  A single attack of this trojan could compromise over 5200 hosts and 10,000 users. The method to steal the data once it is in the devices remain the same as every other malware.

New tactics

Since a leak of the malware code, (full code found here), malware distributors released many versions. Consequently, Ursnif became the most commonly used code. This could be down to the fact it runs in a different way. Although it releases a spam mail in the traditional way with a document containing malicious macros, the malware does not deploy from the attached document. Instead, the obfuscated code runs a PowerShell command (used to manage administrative tasks) which runs another PowerShell command. It then downloads the malware executable to the users’ AppData directory.  The PowerShell is executed from the use of Windows Management Instrumentation Command-line and the code runs, deploying the malware. This effectively makes the user less suspecting of the email and file and makes it easier for the malware to stay within a users’ device undetected.

Use of endpoint antivirus software can help a user stay protected against most types of malware. Cisco Talos managed to discover Gozi through its own advanced malware protection software. It highlights on its website, the indicators to help stop users being infected.

For devices already infected, Virusremovalguidelines provides a step-by-step guide on removing the malware.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil