Gozi is a financial malware that was the focus of media attention over several months in late 2012 and early 2013. It infected more than 1 million computers around the world, causing tens of millions of dollars in damage. In late 2012, Gozi was part of a planned attack against U.S. banks, and recently, it was reported that the alleged author of the malware was arrested and faces up to 95 years in prison if he is found guilty

It seems that the capture of the alleged author was celebrated all too soon. Banks across the world — and specifically in the United States — have continued to experience Gozi-based fraud well into 2013. Not only that, but it’s actually getting worse.

Gozi Gets Worse

The research team for IBM Security Trusteer has identified a new Gozi variant that infects the Master Boot Record (MBR), ensuring it loads with the operating system after a reboot and remains on the infected system even if the operating system is reinstalled. Even though MBR rootkits are considered highly effective, they haven’t been integrated into a lot of financial malware. One exception was the Mebroot rootkit, which was used to deploy Torpig (aka Sinowal/Anserin).

Due to their strategic placement in the operating system’s kernel, rootkits are difficult to identify and remove. Upon infection, Gozi lurks in the MBR, waiting for Internet Explorer (IE) to be launched. Once IE is detected, the malware injects itself into the process and runs inside the browser. It intercepts traffic and performs Web injections, like most financial Trojans do. In fact, the Gozi variant IBM research detected looks like an old variant that was not previously packaged with the rootkit that was used. This may indicate that a new rootkit is being sold in cyber criminal forums and adopted by malware authors.

Although some rootkits can be removed using dedicated tools, most experts recommend a complete hard drive format to ensure a clean start. Financial institutions should change infected user credentials only after a system format or after the malware functionality is disabled.

IBM Security Trusteer Rapport protects end users by preventing the malware code from injecting into the browser. However, to fully mitigate fraud risk, it is recommended that infected users do format the hard drive, reinstall the operating system, install Trusteer Rapport and receive new credentials to their online banking account.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today