The hacking community always remains one step ahead of cybersecurity experts to find new ways to breach even the best firewalls in an effort to spread their malware.
The banking Trojan known as “Gozi” is one such malware. It has already been causing attacks for over two years, but experts are of the opinion that it may stay on in its new avatar Gozi ISFB for more time to come.
The worrying issue for system administrators and cybersecurity experts is that the banking Trojan now uses the “Dark Cloud” botnet to obfuscate the IP address of the attacker’s system.
Email is the Vehicle that Carries the Arsenal
According to a report by Cisco Talos cybersecurity experts, The way the banking Trojan works is to send out innocuous emails that contain a malicious Microsoft Word attachment. Once the document is opened, there is a prompt that advises you to “enable editing” to help you read it.
Again, another prompt surfaces, requesting to “enable content.” Clicking on this prompt will trigger the execution of the macros so that the malware is automatically downloaded in the background.
The smart move by the attacker here is that the actual malware download process happens after the document stands closed. To ensure that a majority of the intended victims do open the file, it is made attractive, displaying a fake Microsoft Word interface that appears to be legitimate.
Going further, the contents are fully localized and even individualized.
Gozi and Other Malware Also Found
Apart from the banking Trojan which uses the Gozi ISFB code, those precipitating the cyberattacks have been found to be using more malware of similar types, such as CryptoShuffler and SpyEye.
More importantly, the methodology employed appears quite refined. For instance, the malware loader is capable of identifying the architecture of the target device and downloading the DLL in 32-bit or 64-bit configuration.
The other aspect, as indicated, is the use of the Dark Cloud botnet to distribute the malware, whether it is Gozi ISFB or others. The effect of employing this distribution strategy is that it ends up using proxies to change the DNS records, making it virtually impossible for cybersecurity experts to identify where the commands are being sent.
Cisco Talos researchers found that within a 24-hour time period, there were 287 IP addresses changed. That gives the idea of how clever the hackers operate.
Localized Attacks: Smaller Organizations Targeted
For whatever reasons, the cyberattacks through the Gozi ISFB malware appear to be not only localized in content, but also targeting specific organizations.
Most of the target organizations are relatively small in size, and this jibes well with the strategy of customizing the messages and images in the emails. This helped further disguise the message so that the user would not question its authenticity. In some cases, the emails were found to be a part of a thread, giving out the impression that there is nothing unusual in the attachment.
No Clear End to the Attacks Seen
Technical experts conclude that there may be no immediate solution to cyberattacks of this kind, due to the effectiveness of the strategy that’s used to plant the Gozi ISFB banking Trojan—especially the act of shifting the domain name servers.
It is also clear that the dominant malware among the family is the Gozi banking Trojan.
According to Cisco Talos staff, an analysis of the infrastructure hosting the botnet indicates that it may be related to several forms of cybercriminal activities such as carding and dating spam.
In addition, research revealed that the command centers were being located in Asia, the Middle East and Eastern Europe, and some of the identified locations like Western and Central Europe and North America were perhaps carefully avoided.
Overall, the only way one can ever escape the banking Trojan malware attacks is to be over-cautious while opening email attachments, especially if the message was not sent by someone already in your contacts list.