A widely-distributed banking trojan has once again been updated with new attack techniques as cyber criminals look to ensure their malware is as effective – and discreet – as possible in efforts to steal banking credentials from customers of various financial institutions.
The Gozi ISFB banking trojan is now being distributed with the aid of the ‘Dark Cloud’ botnet, a criminal service which is being used for the distribution of several malware families, including Gozi and Nymaim.
According to researchers at Cisco Talos, those behind Gozi have leveraged the Dark Cloud botnet to help launch campaigns over the last six months.
What makes the botnet appealing to those behind malware campaigns is how it uses its army of hijacked computers to change the domain name server (DNS) of hosted activities every few minutes.
Analysis of one website found that it used 287 different addresses over the course of 24 hours, equivalent to a rotation every five minutes, making it more difficult for anyone looking to identify the hackers to track them down.
“This demonstrates just how fluid the DNS configuration associated with these domains is and how much infrastructure is being used by these attackers,” said researchers.
Distribution of Gozi malware itself is more restrained than many malware campaigns, with those behind the scheme undertaking a low-volume operation, choosing to target specific organisations with custom messages and attachments. Researchers describe it as “an attempt to evade detection while maximizing the likelihood that the victim will open the attached files”.
This latest around of Gozi attacks continue to use the previously identified technique of conversation hijacking, with the attackers creating emails which look to be part of an ongoing thread in an attempt to increase the likelihood the victim will trust the sender and download the malicious attachment equipped with the malware downloader.
Researchers note that even the lure documents are individualised, again indicating the effort going into the campaign. If the Word document is opened, the user is told they need to ‘enable content’ to see the file.
If the victim follows this instruction, the macros within the document are enabled and Gozi is downloaded from the command and control server with the aid of obfuscated visual basic and PowerShell commands.
Cisco Talos researchers also note that those behind Gozi are also experimenting with additional payloads including SpyEye, a credential stealing malware targeting Apple devices, and CryptoShuffler, which secretly carries out cryptocurrency mining on infected machines for the benefit of the attackers.
While Gozi remains the main focus of the hacking group, it’s likely that distribution of additional payloads is being tested as something of an insurance policy in the event that malware ever becomes redundant. But the use of the Dark Cloud botnet is likely to be an effort to ensure Gozi remains discreet and profitable for a long time to come.
“Attackers are continuing to modify their techniques and finding effective new ways to obfuscate their malicious server infrastructure in an attempt to make analysis and tracking more difficult,” said Talos researchers, who added that Gozi “will not be going away any time soon”.
The identity of the threat actor behind the Gozi banking trojan campaigns remain unknown, but indicators point to it being the work of a highly organised and well-resourced crime ring.