vendredi 20 janvier 2017

A journey inside Gozi campaign

A journey inside Gozi campaign


Goziis a well known bankin trojan. In this blogpost, I'll try to take a look deeper at a recent campaign for understanding how that works.
Let's try to understand all the chain of infection from spambot to Gozi dropper.

The spambot - Onliner

This Gozi campaign is based on a SpamBot called "Onliner". As we can see in the C&C Panel, this spambot has 2 main features:
  • Checker: You provide a list of compromised smtp accounts to the spambot and some bots test if credentials are valids.
I've found around 80 millions compromised SMTP accounts on the checker module. Some of them come from public leaks (like badoo, linkedin...) and some other come from unknown sources.
  • Mailer: The spam mailer:

    Mailer requests details:
If we look at the changelog, this spambot seems to be quite young:

As we can see in the PHP source code, it seems that a SMTPBruteForcer exists:


Gozi spam

Fingerprinting campaign

Let's focus on Gozi campaign. This campaign is quite interesting. First of all, botmaster(s) starts by a fingerprinting round.
They send some random emails with a hidden image inside:

When a victim open this email, some information are leaked to "http://conceptcreationnv.com/2015/cgi-bin/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}". These information (User Agent, IP etc) are usefull for the botmaster because he can indentify specifics groups of users (Windows users for example).
The script used for victims classification:

Output for Windows users:

This spam campaign is maybe used for tests purpose or for target identification.

Gozi campaign

After the fingerprinting campaign, the spambot is used for spreading a dropper which leads to Gozi .
This JScript dropper is spread via fake invoices;
Some example of spams templates used during the campaign:
DHL invoce:

Insurance invoce:

Spam targeting Hotel:

Fake invoice
The first stage is a dropper in JScript - fattura_93785849.js:

The JScript tries to contact www.xxxxxx.xxx/r4.php. r4.php return another JScript code. This is the main component:

eval(r4.php?cmd=d) returns another JScript used for "Drop and Launch" Gozi . This script can be in 7 differents form:

This dropper is fully in JScript \o/
The C&C part is open, it's possible to retrieves some statistics:

Big picture of this JSDropper:

I've seen some switch between JSDropper and doc+macro during some times (https://www.virustotal.com/fr/url/6c8d675e5a2dd055ce54aa0bea80465a128dff5f3da6ddb01ae9a89ed24ff129/analysis/)
It's look like Gozi campaigns are not a so big deal...


Annexes

Spambot

Gozi samples

OTX - https://otx.alienvault.com/pulse/5851b5d287d2d95d361dd743/