From the buguroo Threat Intelligence Labs: New Gozi Campaigns Designed to Avoid Web Fraud Detection Target Global Brands

The threat intelligence experts at buguroo Labs have identified new, more effective versions of Gozi malware that are being used in currently active campaigns targeting global brands, including PayPal, CitiDirect BE, ING Bank, Société Générale, BNP Paribas, the Bank of Tokyo and many more. Based on well-established cyberthreat patterns, these attacks, now being honed in Poland, Japan and Spain, will soon be launched in the U.S. and Western Europe once perfected.

Deep analysis by buguroo shows Gozi continues to evolve, and the latest variants use advanced techniques that leave organizations using the leading web fraud defense tools extremely vulnerable. Further, the dynamic web injection being used indicates a high degree of automation to optimize the selection of “mules” based on the quality and vulnerability of the victim, with the juiciest prospects earning an “operators are standing by” live intervention.

buguroo wants to reassure its customers that its real-time, internet-based bugFraud Defense protects banks and their customers from the new versions of Gozi.

Earlier this year, buguroo and other threat researchers discovered the new GozNym Trojan, which combined elements of the Nymaim and GoziTrojans. Now, buguroo has fully analyzed several new Gozi campaigns that are still currently active and has made a series of important findings.

First, the main reason Gozi escapes undetected by virtually all other web fraud defense solutions is that the web injection is very elaborate and optimized to avoid detection. When it is discovered by incident responders, it is continually refined and quickly updated when it is not working properly due to defensive measures by institutions under attack.

image001

How it works

When an infected user at a target financial institution attempts a transaction, the C2 (Command and Control server) is notified in real time and sends the user’s browser the information necessary for carrying out fraudulent transfers. (See table below)

What the user sees: The injected code presents a fraudulent deposit-pending alert requesting the security key to complete the transfer.

What lies below: Hidden underneath, however, is the actual real transfer page being presented to the bank. The unsuspecting user is inadvertently entering their key to send their money to a “mule” designated by the malware operators.

As the “drop_iban” field below indicates, the account information of the infected user can include the SWIFT BIC and account information used for international money transfers. This suggests—but by no means confirms—that this attack might underlie the spate of high-value fraudulent transfers recently reported by some countries’ central banks.

idUnique identifier of the operation
amountOperation amount
drop_ibanInformation about the actual transfer, from the account of the infected user. The destination account corresponds to a “mule” used to withdraw the money, on many occasions unaware of its true origin
drop_bic
drop_swift
drop_name
drop_surname
drop_address
drop_bank_name
drop_bank_address
purpose
description
drop_fake_ibanFictitious information, which is injected into the transfer page
drop_fake_bic
drop_fake_name
drop_fake_surname
drop_fake_address
drop_fake_bank_name
fake_purpose
balance_numberInformation about the infected user account and balance
balance_title
balance_details
transfer_status
add_info
note
type
replacer
holder_name
holder_address
balance_available_amount
approved_with_code
created_atOperation timestamp
updated_at

Tailored “mules”

image002BDuring the tests, the buguroo threat analysts observed both automated and manual “concierge” customized responses from the control panel, based on the situation determined by the webinject. Certain users are assigned to a specific “mule” in a particular country, and the malware operator decides the amount of money to be transferred. Other users are assigned to a random selected “mule” and a fixed amount of money to be transferred depending on their account balance. This appears to be the automatic mode of operation. For high value targets, malware operators select between one way or another depending on their interest for that specific victim, assigning them more reliable “mules” when it comes to greater operations.

Bypassing fraud protection based on behavioral biometrics

For certain versions of the webinjects used for specific companies, the malware sends a kind of biometric information to its control panel, such as how long the user takes to move from an input field to the next or the time between keystrokes. The malware uses these values to fill the necessary fields to perform the fraudulent transfer in what appears to be an attempt to bypass protection systems based on biometrics of user behavior.

“Through our ongoing cyber intelligence activity and world-class expertise, our team was able to identify the latest Gozi advances and alert the public,” said Pablo de la Riva Ferrezuelo, chief technology officer and co-founder of buguroo. “We are also proud to confirm that bugFraud Defense is one of the few, and perhaps the only, effective defense against these very sophisticated emerging attacks.”

buguroo will be publishing a complete report on our analysis of these new Gozi campaigns after the Black Hat conference that includes:

  • Financial institutions targeted by country
  • Details on the webinject
  • Specifics on C2 code and injection domains/URLs and hashes used in the campaigns
  • Comparison with Gootkit, including parallels in approach and code update cycles, that further prove trend toward professional malware services delivering code to different organizations, families of malware and campaigns

Is your organization struggling with the latest web fraud attacks like these? We can help. Please contact info@buguroo.com.

About buguroo

Although a startup in the U.S., buguroo is building on its five-year history in Europe and its proven technology and security operations experience. Originally, the company was a stand-alone unit in Deloitte Spain, and the buguroo team of ethical hackers and cybersecurity analysts worked alongside experts from Deloitte Spain to manage the Deloitte Security Operations Center (SOC) for Europe. In 2015, the 50-employee company was spun off as buguroo and closed a $3.34 million round of angel financing to expand its business internationally and accelerate development of its product roadmap.

Get the full report

Register to read the full report and learn more about the analyzed campaign.


We use own and third party cookies to offer our services and advertising based on your interests.
By using our services, you agree to our use of cookies as described in our Cookies Policy. More info

Cookie options on this website are set to "allow cookies" to offer a better browsing experience. If you continue to use this website without changing your settings or clicking "OK" you will be consenting cookies from this site.

Close