vendredi 20 janvier 2017

A journey inside Gozi campaign

A journey inside Gozi campaign

Goziis a well known bankin trojan. In this blogpost, I'll try to take a look deeper at a recent campaign for understanding how that works.
Let's try to understand all the chain of infection from spambot to Gozi dropper.

The spambot - Onliner

This Gozi campaign is based on a SpamBot called "Onliner". As we can see in the C&C Panel, this spambot has 2 main features:
  • Checker: You provide a list of compromised smtp accounts to the spambot and some bots test if credentials are valids.
I've found around 80 millions compromised SMTP accounts on the checker module. Some of them come from public leaks (like badoo, linkedin...) and some other come from unknown sources.
  • Mailer: The spam mailer:

    Mailer requests details:
If we look at the changelog, this spambot seems to be quite young:

As we can see in the PHP source code, it seems that a SMTPBruteForcer exists:

Gozi spam

Fingerprinting campaign

Let's focus on Gozi campaign. This campaign is quite interesting. First of all, botmaster(s) starts by a fingerprinting round.
They send some random emails with a hidden image inside:

When a victim open this email, some information are leaked to "{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}". These information (User Agent, IP etc) are usefull for the botmaster because he can indentify specifics groups of users (Windows users for example).
The script used for victims classification:

Output for Windows users:

This spam campaign is maybe used for tests purpose or for target identification.

Gozi campaign

After the fingerprinting campaign, the spambot is used for spreading a dropper which leads to Gozi .
This JScript dropper is spread via fake invoices;
Some example of spams templates used during the campaign:
DHL invoce:

Insurance invoce:

Spam targeting Hotel:

Fake invoice
The first stage is a dropper in JScript - fattura_93785849.js:

The JScript tries to contact r4.php return another JScript code. This is the main component:

eval(r4.php?cmd=d) returns another JScript used for "Drop and Launch" Gozi . This script can be in 7 differents form:

This dropper is fully in JScript \o/
The C&C part is open, it's possible to retrieves some statistics:

Big picture of this JSDropper:

I've seen some switch between JSDropper and doc+macro during some times (
It's look like Gozi campaigns are not a so big deal...



Gozi samples


3 commentaires:

  1. Its very nice informative article. thanks for sharing such great article hope keep sharing such kind of article email extractor

  2. Your article reflects the issues people care about. The article provides timely information that reflects multi-dimensional views from multiple perspectives. I look forward to reading quality articles containing timely information from you. Thank you for sharing this great information.خرید بلیط هواپیما با گسترش روز افزون استفاده از اینترنت دچار تحولات زیادی شده است به طوری که امروزه بلیط هواپیما به مقاصد مختلف را می توان به صورت اینترنتی خریداری کرد. این روش دارای مزایای زیادی است که موجب می شود متقاضیان زیادی از این روش به صورت گسترده و روز افزون استفاده کنند. صرفه جویی در زمان و هزینه، سرعت و جابجایی در سفرهای بین شهری مسافران، باعث شده تا متقاضیان زیادی از روش خرید اینترنتی بلیط هواپیما استفاده نمایند. حق انتخاب گسترده تر مسافران یکی دیگر از مزایای استفاده از اینترنت در به دست آوردن بلیط دلخواه می باشد. با مراجعه به سایت تیک بان می توانید انواع بلیط هواپیما را به مقاصد مختلف و با قیمت های ارزان و اقتصادی مشاهده کرده و بهترین گزینه را رزرو کنید. - خرید بلیط هواپیما تیک بان - خرید بلیط اتوبوس - خرید بلیط قطار - چارتر