November 24, 2017

Trojans designed to steal money from bank accounts pose a serious threat. Because banking Trojans are usually rather complex multicomponent malicious programs, they do not appear that often. Doctor Web’s specialists examined a new version of a malicious program from the well-known Trojan.Gozi family.

The new banking Trojan, dubbed Trojan.Gozi.64, is based on the source code of the previous version of Trojan.Gozi; that code was made publicly available a long time ago. Like other representatives of this family, Trojan.Gozi.64 can infect computers running 32- and 64-bit Windows versions. The Trojan has a modular architecture. However, unlike previous modifications, it completely consists of separately downloaded plugins. Trojan.Gozi.64 also does not have algorithms for generating control servers. Server addresses are hard-coded into its configuration, whereas, for a dictionary, one of the first versions of Gozi used a text file downloaded from a NASA server.

The Trojan’s creator embedded a restriction into the malicious program which allows it to operate on Microsoft Windows 7 and later versions. The malicious program does not run on earlier Windows versions. Additional modules are downloaded from a command and control server using a special loader library. In addition, the data exchange protocol uses encryption. The Trojan.Gozi.64 loader can execute the following malicious functions on an infected machine:

• Check for any updates for the Trojan;
• Download from a remote server plugins for browsers used for web injections;
• Download web-injection configurations from a remote server;
• Obtain personal tasks, including those requiring the download of additional plugins;
• Remote computer administration.

In order to perform web injections, Trojan.Gozi.64 uses its own configurable plugin. At the moment, our security researchers are aware of plugins existing for Microsoft Internet Explorer, Microsoft Edge, Google Chrome, and Mozilla Firefox. Once it installs the corresponding module, the Trojan receives from the command and control server a ZIP archive containing the configuration for executing web injections. As a result, Trojan.Gozi.64 can inject arbitrary content into user-viewed webpages. This content can, for example, be fake authorization forms on bank websites and in online banking systems. In addition, due to the fact that webpage modification is performed directly on an infected computer, the URL of whatever website is involved remains intact in the browser address bar, something that may prevent the user from realizing something is amiss. Any data the user enters into a fake form is sent to cybercriminals, which results in the account of the Trojan’s victim becoming compromised.

Moreover, additional modules can be downloaded and installed on an infected computer; such modules may include a keylogger plugin, a module for remotely accessing the infected machine (VNC), a SOCKS proxy server component, a plugin for stealing authorization data from mail clients, and some others.

The signatures of the banking Trojan Trojan.Gozi.64 and its modules have been added to the Dr.Web virus database, and, therefore, they pose no threat to computers protected with Dr.Web.

#banker #banking_Trojan #online-banking #Trojan