New Gozi Malware Heads for U.S. Financial Institutions
buguroo Labs researchers identified newly-evolved versions of Gozi malware that are actively targeting financial institutions, including PayPal, ING Bank and the Bank of Tokyo, leaving organizations that rely on traditional fraud defense tools at risk.
Experts at buguroo Labs, a threat intelligence startup spun out of Deloitte’s European Security Operations Center, revealed these cybercriminals are honing their attacks in Poland, Japan and Spain before launching in the U.S. and Western Europe.
“Through our ongoing cyber intelligence activity and world-class expertise, our team was able to identify the latest Gozi advances and alert the public,” Pablo de la Riva Ferrezuelo, CTO and co-founder of buguroo, said.
A deep analysis of the situation by buguroo in a blog post said Gozi continues to evolve, and that the latest variants use advanced techniques that leave some organizations extremely vulnerable. In addition, the dynamic web injection used indicates a high degree of automation that optimizes the selection of funds-transferring mules based on the quality and vulnerability of the victim.
Earlier this year, buguroo and other threat researchers discovered the new GozNym Trojan, which is part banking Trojan and part ransomware and combined elements of the Nymaim and Gozi Trojans. Now, buguroo has analyzed several new Gozi campaigns that are currently active and revealed a series of findings.
“The main reason Gozi escapes undetected by virtually all other web fraud defense solutions is that the web injection is very elaborate and optimized to avoid detection,” buguroo noted.
When incident responders discover it, it is continually refined and quickly updated, bugaroo added. bugaroo also noted the following facts about Gozi:
- How it works: When an infected user at a targeted financial institution attempts a transaction, the command and control server receives notification in real time and sends the user’s browser the information necessary for carrying out fraudulent transfers.
- What the user sees: The injected code presents a fraudulent deposit-pending alert that requests the security key to complete the transfer.
- What lies below: Hidden underneath, however, is the actual real transfer page presented to the bank. The unsuspecting user inadvertently enters their key to send their money to a mule designated by the malware operators.
The account information of the infected user can include the SWIFT BIC and account information used for international money transfers.
“This suggests, but by no means confirms, that this attack might underlie the spate of high-value fraudulent transfers recently reported by some countries’ central banks,” the buguroo blog said.
During the tests, buguroo threat analysts observed both automated and manual concierge-customized responses from the control panel. Responses were based on the situation determined by the webinject. In some cases, the malware operator determines the amount of money transferred to a specific mule in a particular country. Other users are randomly selected mules with a fixed amount of money transferred depending on their account balance. This appears to be the automatic mode of operation, bugaroo said.
For high value targets, malware operators select their course of action depending on their interest for that specific victim, assigning mules that are more reliable when it comes to greater operations.
For certain versions of the webinjects used for specific companies, the malware sends a kind of biometric information to its control panel, such as how long the user takes to move from one input field to the next or the time between keystrokes. The malware uses these values to fill in the necessary fields to perform the fraudulent transfer in what appears to be an attempt to bypass protection systems based on the biometrics of user behavior.