vendredi 20 janvier 2017

A journey inside Gozi campaign

A journey inside Gozi campaign

Goziis a well known bankin trojan. In this blogpost, I'll try to take a look deeper at a recent campaign for understanding how that works.
Let's try to understand all the chain of infection from spambot to Gozi dropper.

The spambot - Onliner

This Gozi campaign is based on a SpamBot called "Onliner". As we can see in the C&C Panel, this spambot has 2 main features:
  • Checker: You provide a list of compromised smtp accounts to the spambot and some bots test if credentials are valids.
I've found around 80 millions compromised SMTP accounts on the checker module. Some of them come from public leaks (like badoo, linkedin...) and some other come from unknown sources.
  • Mailer: The spam mailer:

    Mailer requests details:
If we look at the changelog, this spambot seems to be quite young:

As we can see in the PHP source code, it seems that a SMTPBruteForcer exists:

Gozi spam

Fingerprinting campaign

Let's focus on Gozi campaign. This campaign is quite interesting. First of all, botmaster(s) starts by a fingerprinting round.
They send some random emails with a hidden image inside:

When a victim open this email, some information are leaked to "{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}". These information (User Agent, IP etc) are usefull for the botmaster because he can indentify specifics groups of users (Windows users for example).
The script used for victims classification:

Output for Windows users:

This spam campaign is maybe used for tests purpose or for target identification.

Gozi campaign

After the fingerprinting campaign, the spambot is used for spreading a dropper which leads to Gozi .
This JScript dropper is spread via fake invoices;
Some example of spams templates used during the campaign:
DHL invoce:

Insurance invoce:

Spam targeting Hotel:

Fake invoice
The first stage is a dropper in JScript - fattura_93785849.js:

The JScript tries to contact r4.php return another JScript code. This is the main component:

eval(r4.php?cmd=d) returns another JScript used for "Drop and Launch" Gozi . This script can be in 7 differents form:

This dropper is fully in JScript \o/
The C&C part is open, it's possible to retrieves some statistics:

Big picture of this JSDropper:

I've seen some switch between JSDropper and doc+macro during some times (
It's look like Gozi campaigns are not a so big deal...



Gozi samples


14 commentaires:

  1. Its very nice informative article. thanks for sharing such great article hope keep sharing such kind of article email extractor

  2. Your article reflects the issues people care about. The article provides timely information that reflects multi-dimensional views from multiple perspectives. I look forward to reading quality articles containing timely information from you. Thank you for sharing this great information.خرید بلیط هواپیما با گسترش روز افزون استفاده از اینترنت دچار تحولات زیادی شده است به طوری که امروزه بلیط هواپیما به مقاصد مختلف را می توان به صورت اینترنتی خریداری کرد. این روش دارای مزایای زیادی است که موجب می شود متقاضیان زیادی از این روش به صورت گسترده و روز افزون استفاده کنند. صرفه جویی در زمان و هزینه، سرعت و جابجایی در سفرهای بین شهری مسافران، باعث شده تا متقاضیان زیادی از روش خرید اینترنتی بلیط هواپیما استفاده نمایند. حق انتخاب گسترده تر مسافران یکی دیگر از مزایای استفاده از اینترنت در به دست آوردن بلیط دلخواه می باشد. با مراجعه به سایت تیک بان می توانید انواع بلیط هواپیما را به مقاصد مختلف و با قیمت های ارزان و اقتصادی مشاهده کرده و بهترین گزینه را رزرو کنید. - خرید بلیط هواپیما تیک بان - خرید بلیط اتوبوس - خرید بلیط قطار - چارتر

  3. In case you're searching for a spot to share your movement tips or stories, why not compose a visitor post for Write for us Travel Magazine.

  4. I am very impressed with your article. if you want to restore your accounting files contact us call us on QuickBooks technical support number.QuickBooks support phone number

  5. Garmin Support Center is the place you will discover answers to as often as possible posed inquiries and assets to help with the entirety of your Garmin items. Garmin express iPhone

  6. You done an excellent job.

  7. Learn how to Fix Error while HP Printer Wireless Setup so that you can print to it from any device connected to the same network.


  8. یکی از مزایای رزرو اینترنتی هتل از جااینجاس امکان مشاهده ویژگی ها، امکانات و قیمت هتل روی سایت است. شما می توانید هر شهری را که می خواهید انتخاب کنید، هتل های آن را بررسی کرده و آنها را با بهترین قیمت رزرو کنید.

  9. قاصدک اس ام اس این امکان را برایتان فراهم کرده است تا پیامک های خود را بر اساس سن، جنسیت، منطقه، تحصیلات و بسیاری از موارد دیگر ارسال کنید. همچنین امکان خرید آنلاین پنل هم برای شما فراهم شده است.

  10. This blog is very useful for me, helps me learn a lot. I appreciate your kindness in sharing this useful with you and me!
    Verizon's email service is widely regarded as one of the best in the world. It has a powerful feature set and a fantastic user interface, making it a top-notch emailing platform. If you can't remember your Verizon password and are having trouble logging in to your account, you can easily Change Verizon Email Password by visiting our website and following our guidelines.

  11. اخبار سلامت
    Health economics education at eghtesadafarin economic news
    اخبار آموزش اقتصاد سلامت در اقتصاد آفرین، سامانه جامع تحلیل اخبار اقتصادی