Windows 10' Edge Browser Targeted By The Gozi Banking Trojan

Image Source: securityintelligence.com

Windows 10's Edge Browser Targeted By The Gozi Banking Trojan

Gozi Banking Trojan targeted the Windows 10's Edge browser. It has been modified and updated to inject into the Edge browser of Windows version 10. In 2007, the first Gozi banking trojan appeared that only target the users of English-speaking by a group of developers. 

In 2010, Source Code of Gozi v1's had been leaked by the developer. And then after they started to work upon Gozi v2. Gozi v2 threat consists of many new features, some are:

>> It can inject the code right into the browser and can create fake content.

>> It can also easily infect the new Microsoft Edge browser.

Microsoft Edge, Tinba v3, Ramnit, Dyre are the latest affected targets of Gozi Trojan.

In 2013, Gozi v2 launched and in that year, some developers also arrested by authorities. Further, so many changes added to that like adding MBR (Master Boot Record) rootkit component for high persistency, different variations from v1 and v2. A Latvian cybercriminal was arrested in November 2012, who had written code for Gozi and admitted for the same. For that offence, he spent 10 months in a jail in Latvia and he was also extradited from the United States.

Gozi relied on the explorer.exe process and infiltrate those processes spawned by web browsers as the browser didn't spawn from explorer.exe, it means that Gozi couldn't infiltrate Edge's core.

The latest Gozi trojan has also targeted the RuntimeBroker.exe process, through which the browser can be launched by main Edge process, MicrosoftEdgeCP.exe. Gozi is able to send commands to the Edge process from where it can easily see history of the browser and can intervene also when he sees navigation to a known banking portal by the user. Previously it affected banks also in many countries like United States banks etc.

Web Page has been showed by the Edge browser instructed by Gozi and it allows the user's login details to intercept and relay. Apart from the Gozi, Dyreza was the first banking trojan that adds Windows 10 and edge support, in last November.

In previous versions of Windows, iexplorer.exe has been leveraged by Trojan to inject code in a browser but in Gozi RuntimeBroker.exe has been leveraged to inject the code in a browser. Along with the explorer.exe, it also injects code into other browsers like opera.exe, chrome.exe, iexplore.exe and firefox.exe.

The 3 main function that are hooked by the malware are:

kernel32!CreateProcessW

kernel32!CreateProcessAsUserW

kernel32!CreateProcessA

In order to prevent code injection, Microsoft updated the Edge browser in November 2015 and only the signed components by Microsoft and WHQL device drivers are loaded.

And to boost the browser's security a new version of web browser was introduced named as EdgeHTML 13. The current version of Gozi is being distributed in the countries like United Kingdom, United States and South Africa.

In the case of Windows 10, to inject the code into the browser, a number of hooks on kernel32.dll have been used by the Gozi developers. On VirusTotal, analyzed sample has been detected by 33 out of 55 security tools that directly proves that users are safe.