The threat intelligence experts at buguroo Labs have identified new, more effective versions of Gozi malware that are being used in currently active campaigns targeting global brands, including PayPal, CitiDirect BE, ING Bank, Société Générale, BNP Paribas, the Bank of Tokyo and many more. Based on well-established cyberthreat patterns, these attacks, now being honed in Poland, Japan and Spain, will soon be launched in the U.S. and Western Europe once perfected.
Deep analysis by buguroo shows Gozi continues to evolve, and the latest variants use advanced techniques that leave organizations using the leading web fraud defense tools extremely vulnerable. Further, the dynamic web injection being used indicates a high degree of automation to optimize the selection of “mules” based on the quality and vulnerability of the victim, with the juiciest prospects earning an “operators are standing by” live intervention.
buguroo wants to reassure its customers that its real-time, internet-based bugFraud Defense protects banks and their customers from the new versions of Gozi.
Earlier this year, buguroo and other threat researchers discovered the new GozNym Trojan, which combined elements of the Nymaim and GoziTrojans. Now, buguroo has fully analyzed several new Gozi campaigns that are still currently active and has made a series of important findings.
First, the main reason Gozi escapes undetected by virtually all other web fraud defense solutions is that the web injection is very elaborate and optimized to avoid detection. When it is discovered by incident responders, it is continually refined and quickly updated when it is not working properly due to defensive measures by institutions under attack.
How it works
When an infected user at a target financial institution attempts a transaction, the C2 (Command and Control server) is notified in real time and sends the user’s browser the information necessary for carrying out fraudulent transfers. (See table below)
What the user sees: The injected code presents a fraudulent deposit-pending alert requesting the security key to complete the transfer.
What lies below: Hidden underneath, however, is the actual real transfer page being presented to the bank. The unsuspecting user is inadvertently entering their key to send their money to a “mule” designated by the malware operators.
As the “drop_iban” field below indicates, the account information of the infected user can include the SWIFT BIC and account information used for international money transfers. This suggests—but by no means confirms—that this attack might underlie the spate of high-value fraudulent transfers recently reported by some countries’ central banks.
|id||Unique identifier of the operation|
|drop_iban||Information about the actual transfer, from the account of the infected user. The destination account corresponds to a “mule” used to withdraw the money, on many occasions unaware of its true origin|
|drop_fake_iban||Fictitious information, which is injected into the transfer page|
|balance_number||Information about the infected user account and balance|
During the tests, the buguroo threat analysts observed both automated and manual “concierge” customized responses from the control panel, based on the situation determined by the webinject. Certain users are assigned to a specific “mule” in a particular country, and the malware operator decides the amount of money to be transferred. Other users are assigned to a random selected “mule” and a fixed amount of money to be transferred depending on their account balance. This appears to be the automatic mode of operation. For high value targets, malware operators select between one way or another depending on their interest for that specific victim, assigning them more reliable “mules” when it comes to greater operations.
Bypassing fraud protection based on behavioral biometrics
For certain versions of the webinjects used for specific companies, the malware sends a kind of biometric information to its control panel, such as how long the user takes to move from an input field to the next or the time between keystrokes. The malware uses these values to fill the necessary fields to perform the fraudulent transfer in what appears to be an attempt to bypass protection systems based on biometrics of user behavior.
“Through our ongoing cyber intelligence activity and world-class expertise, our team was able to identify the latest Gozi advances and alert the public,” said Pablo de la Riva Ferrezuelo, chief technology officer and co-founder of buguroo. “We are also proud to confirm that bugFraud Defense is one of the few, and perhaps the only, effective defense against these very sophisticated emerging attacks.”
buguroo will be publishing a complete report on our analysis of these new Gozi campaigns after the Black Hat conference that includes:
- Financial institutions targeted by country
- Details on the webinject
- Specifics on C2 code and injection domains/URLs and hashes used in the campaigns
- Comparison with Gootkit, including parallels in approach and code update cycles, that further prove trend toward professional malware services delivering code to different organizations, families of malware and campaigns
Is your organization struggling with the latest web fraud attacks like these? We can help. Please contact firstname.lastname@example.org.
Although a startup in the U.S., buguroo is building on its five-year history in Europe and its proven technology and security operations experience. Originally, the company was a stand-alone unit in Deloitte Spain, and the buguroo team of ethical hackers and cybersecurity analysts worked alongside experts from Deloitte Spain to manage the Deloitte Security Operations Center (SOC) for Europe. In 2015, the 50-employee company was spun off as buguroo and closed a $3.34 million round of angel financing to expand its business internationally and accelerate development of its product roadmap.