A journey inside Gozi campaign
Goziis a well known bankin trojan. In this blogpost, I'll try to take a look deeper at a recent campaign for understanding how that works.
@dhlexpressuk #phishing
— guga (@illegalFawn) 7 novembre 2016
Subj:DHL Italy - documenti importanti
File:HK5863.js
MD5:f356cb644971384240e05a5d22cd149f
VT:4/50@malwrhunterteam pic.twitter.com/hNWULLHwq0
Let's try to understand all the chain of infection from spambot to Gozi dropper.
The spambot - Onliner

-
Checker: You provide a list of compromised smtp accounts to the spambot and some bots test if credentials are valids.
If we look at the changelog, this spambot seems to be quite young:

As we can see in the PHP source code, it seems that a SMTPBruteForcer exists:

Gozi spam
Fingerprinting campaign
Let's focus on Gozi campaign. This campaign is quite interesting. First of all, botmaster(s) starts by a fingerprinting round.They send some random emails with a hidden image inside:
When a victim open this email, some information are leaked to "http://conceptcreationnv.com/2015/cgi-bin/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}". These information (User Agent, IP etc) are usefull for the botmaster because he can indentify specifics groups of users (Windows users for example).
The script used for victims classification:
Output for Windows users:
This spam campaign is maybe used for tests purpose or for target identification.
Gozi campaign
After the fingerprinting campaign, the spambot is used for spreading a dropper which leads to Gozi .This JScript dropper is spread via fake invoices;
Some example of spams templates used during the campaign:
DHL invoce:
Insurance invoce:
Spam targeting Hotel:
Fake invoice

The first stage is a dropper in JScript - fattura_93785849.js:
The JScript tries to contact www.xxxxxx.xxx/r4.php. r4.php return another JScript code. This is the main component:
eval(r4.php?cmd=d) returns another JScript used for "Drop and Launch" Gozi . This script can be in 7 differents form:
This dropper is fully in JScript \o/
The C&C part is open, it's possible to retrieves some statistics:

Big picture of this JSDropper:

I've seen some switch between JSDropper and doc+macro during some times (https://www.virustotal.com/fr/url/6c8d675e5a2dd055ce54aa0bea80465a128dff5f3da6ddb01ae9a89ed24ff129/analysis/)
It's look like Gozi campaigns are not a so big deal...
Annexes
Spambot
- spambot.exe - b5c87cab2ff99d1e4b4c3ee897b07869fa8f6a63fbd27018f589c105faf91fcd
- CheckerSMTPv5.dll - 1cae16cb11c32aaa0cb190189d88811288e06df7cccda6473409de3ea5c7b633
- MailerSMTPv6.dll - 026df17589f9854a34a49ac097c5f8e3b99473c61e853be18050d458ae20113b
- Full list of r4.php - https://pastebin.com/fht6G6pe
- r4.php - https://pastebin.com/fxLvrM06
Gozi samples
- 6b15aa3f3d6bb1c308974fc87bd38ceb2ee337fd3495ebe6c6e7157a85e914cb
- 14b05f0bd0ca6e169a8d4be542a4165c4266a0419c1d0d857b98b4d84619bdf7
- 4f3f957334bcbde8462f9215fd20d6fd6363c449e07bbf49f30428399c9f6e57
- 9f298cee96c9de4ff85524f99fc34db3a11726ddd8c4fcdf8e2d79ef13437057
- fd11e035295639b19dfe418514c91159b3f50ea8dc350c36b63a9363e52f4533
- d843403b871a353020bffdedd9c4905e34ed195c1222c3bfd3567c97eb4f69a4
- a194d0ef0d27bd07ec22bb4ebc739847c589b4307603b6d65cf1f3fbdd19f6cd
- d4b2377c5f9af91cc693fce967f3049ab4c6ec75c162276b584002946203a770