Gozi, also known as Ursnif or ISFB, is a banking trojan which has been around for a long time and currently multiple variations of the trojan are circulating after its source code got leaked. Every variant that is distributed has interesting aspects, with Gozi version 3 the most eye-catching in the field of detection evasion.
In this blog we will discuss some of the techniques which Gozi V3 uses in an attempt to bypass endpoint defense. Additionally we will also discuss how researchers can use these evasion techniques to their advantage, since they produce a unique and distinctive behavioral pattern.
Gozi’s infection chain
Gozi V3 is distributed via spam mails which link to a malicious file, such as an obfuscated Visual Basic script, which acts as a dropper component. The dropper component downloads and executes an executable with a valid digital signature. We will refer to this executable as the Gozi loader.
The function of this loader is to reach out to the command-and-control (C2) server to retrieve the main Gozi executable. The threat actors behind Gozi try to prevent researchers from interacting with the C2 and obtaining payloads.
One way the Gozi attackers do this is by restricting payload delivery at the server side: The Gozi dropper only works if the IP address of the machine requesting the file geolocates to a region targeted by the malspam (geo restriction), and if the request comes in within a relatively short time frame relative to the start of the spam campaign. This strategy may result in a smaller infection rate, but it avoids the chance that researchers obtain the payload and write detections against it.
If the victim’s machine gets a valid C2 response, the Gozi payload is stored in the registry in the form of a PowerShell script. This fileless technique allows the Gozi threat actors to avoid traditional static (file on disk) detection. Upon system startup the PowerShell script injects the Gozi worker into the explorer process, at which point the infection chain is complete and Gozi again reaches out to the C2 server.
The C2 server this time responds with components which aid Gozi in its money-stealing activities, such as webinjects.