IBM X-Force researchers have recently detected a new Gozi Trojan build propagated to endpoints in the wild.
Alongside some interesting changes made to the malware, the researchers reported that Gozi’s developer has successfully updated the Trojan’s code injection mechanism to implement form grabbing and webinjections in the Windows 10 Edge browser.
Since a Windows 10 operating system upgrade is offered to home users at no cost, which has triggered a rather vast adoption of the platform, malware authors are hurrying to update their codes to deploy on Windows 10 endpoints. Moreover, since Win10 comes with a new browser, Microsoft Edge, cybercriminals need the ability to seamlessly operate their malware on that software.
With the ability to inject the Trojan’s code into the operating system’s and the browser’s processes, cybercriminals can control the browser for monitoring victim activity, form grabbing and webinjections, which are among the most powerful tools criminals have against unsuspecting victims.
Within that context, Gozi is the most recent Trojan to achieve the ability to inject code into the Edge browser, but it is not the first.
Tinba v3 can inject code into the Edge browser as well, although it has not been able to deploy webinjections yet. Ramnit, too, can inject code into Edge and deploy webinjections on that browser. One of the better-known examples is the Dyre Trojan, which was reportedly upgraded for successful deployment on Windows 10 endpoints and code injection into the Microsoft Edge browser in November 2015, before the gang’s takedown.
Gozi’s New Build, Same Idea
According to the research of Gozi’s new capability, the malware’s developer has found a new way to use the same overall code injection mechanism on the Win10 Edge browser as it did on previous Windows OS versions. The code behind this new capability can now be injected into the MicrosoftEdgeCP.exe process, which is the Edge browser’s process.
In general, for Gozi-infected machines, every process created by explorer.exe or one of its child processes is patched in order to maintain Gozi’s infection, keylogging ability and other malicious control. Moreover, some child processes get specific attention from Gozi. Those will include extra code for other malicious features (see list below).
Figure 1
Let’s look at the way Gozi’s developer has managed to work out this new capability. To inject malicious code to browser processes in Win10, the malware uses a number of hooks on the kernel32.dll.
Gozi handles code injections differently when a browser process is already running and in cases where it is not yet open. In general, but not in Edge’s case, when an Internet browser process is already running, Gozi leverages CreateRemoteThread to inject code.
In previous versions of the Windows OS, the default behavior would have explorer.exe as the parent process of the browser process, hence Gozi injected its malicious code into it. From there, it would rely on its hooks to infect the browsers through hooking CreateProcess APIs. In Windows 10, however, Gozi cannot perform the same trick since explorer.exe is not the parent process of the Edge browser.
Gozi needed a new workaround for Windows 10. Its developer began by going to the new parent process and leveraging another process: RuntimeBroker.exe. The latter is the parent process of the Edge browser in Windows 10 machines.
To ensure hooking happens properly no matter which browser is launched by the victim, following the injection of malicious code into the classic explorer.exe by the Gozi dropper, the Trojan further looks for each one of the following processes and injects itself into it. Note that for Edge, Gozi goes to RuntimeBroker.exe (see Figure 2).
- iexplore.exe
- firefox.exe
- chrome.exe
- opera.exe
- RuntimeBroker.exe
Figure 2
In Figure 3 below, we can see that Gozi has confirmed it will inject into the target process and calls on the CreateRemoteThead to begin the injection process.
Figure 3
Note that the malicious code hooks the RuntimeBroker.exe process with the Gozi-style patches. Three of the central functions being hooked here are:
- kernel32!CreateProcessA
- kernel32!CreateProcessW
- kernel32!CreateProcessAsUserW
As a result of hooking these functions, every child process of the poisoned RuntimeBroker.exe will be injected with Gozi’s code — including the Edge browser’s child process. To test and check that all the child functions are indeed hooked, we can review the Export Address Table (EAT) hooks and see the following functions on the list:
WININET!HttpAddRequestHeadersA
WININET!HttpAddRequestHeadersW
WININET!HttpQueryInfoA
WININET!HttpQueryInfoW
WININET!HttpSendRequestA
WININET!HttpSendRequestW
WININET!InternetConnectA
WININET!InternetConnectW
WININET!InternetQueryDataAvailable
WININET!InternetReadFile
WININET!InternetReadFileExA
WININET!InternetReadFileExW
WININET!InternetSetStatusCallback
WININET!InternetWriteFile
ADVAPI32!CreateProcessAsUserA
KERNEL32!CreateProcessA
KERNEL32!CreateProcessAsUserW
KERNEL32!CreateProcessW
According to actual infections detected in 2016, the current new Gozi build is being propagated in the U.K., U.S. and South Africa. The analyzed sample’s MD5 is 1bbfbd4a595b5a58993c22ddc69bc874. The VirusTotal analysis of that sample shows that it was detected in 33 out of 55 security tools.
About Gozi
The Gozi Trojan is one of the longest-standing banking Trojans in the wild today. It was first discovered in 2007, when it was operated by a closed group of developers and cybercriminals. Gozi was used for targeting banks with online banking wire fraud, mostly in English-speaking countries.
Gozi’s v1 source code was leaked mistakenly by one of its developers in late 2010 when a team was working on a major upgrade. The leaked code was then repurposed in Trojans like Vawtrak and Neverquest.
The original Gozi v2 started appearing in the wild toward the end of 2010, using new webinjection mechanisms to attack European, U.K. and U.S. banks. In late 2012, Gozi was used in what was dubbed the Prinimalka variation at the hands of criminals who planned a major, coordinated heist on U.S. banks.
In 2013, Gozi’s developers added a Master Boot Record (MBR) rootkit to create high persistency through the computer’s MBR. In 2013, another variation of Gozi was detected in the wild with a MBR infector in tow. It was in that same year that the FBI got to some of the Gozi gang, capturing and charging three individuals with crimes related to the Gozi gang’s activities. One of those arrested pleaded guilty to the charges in September 2015.
According to X-Force research, in May 2015, Gozi v2’s developers implemented major updates to the malware’s webinjection schemes and capabilities. In attacks on U.K. banks, Gozi v2 variants injected full-page replacements into the communication flow with the bank’s servers. Gozi typically injected a fake page requiring victims to change their password upon attempted login, and then added another social engineering screen asking for a one-time password/token code.
In August 2015, Gozi added banks in Bulgaria to its list of targets. Nowadays, the Trojan source code is believed to be used by a few cybercrime factions since it appears in a limited number of variations that are being developed and versioned separately.
The updated injection mechanism for Gozi has been implemented on the same variation that attacked banks in Bulgaria last year. The significance of this new finding is that the Gozi project continues to be an active and sophisticated one, and that its new injection capabilities will allow it to seamlessly attack the growing number of users who update their endpoints to Windows 10 or switch to the Edge browser.
It’s also important to keep in mind that not all banking malware variants have this capability yet. IBM X-Force research continues to follow developments to keep you up to date on the ever-evolving threat landscape.
Read the white paper: Accelerating growth and digital adoption with seamless identity trust
Malware Researcher, IBM Trusteer
Principal Consultant, X-Force Cyber Crisis Management, IBM