Probing the Gozi-Prinimalka Campaign

Last month, we posted an entry about a planned massive fraud campaign targeting various US banks. This attack was expected to use the newly-developed Gozi-Prinimalka, a malware that exhibits Gozi-like behavior.

There have been rumblings in the underground that this campaign has been shelved; however, we here at Trend Micro are still actively monitoring developments for this case. Rumor or not, it is best that customers and users out there should have the applicable solutions for the threat.

Analysis on Gozi-Prinimalka

To find out more about this Gozi-Prinimalka malware, we acquired samples and analyzed them to check the malware’s routines and notable behaviors. The first sample, detected as BKDR_URSNIF.B, monitors users’ browsing activities. It gathers information if it contains specific strings related to banking and financial institutions such as PayPal, Wells Fargo, and Wachovia among others.

The second sample, which is detected as BKDR_URSNIF.DN checks the existence of the registry entry, HKEY_CURRENT_USER\Software\Classes\FirefoxHTML\shell\open\command to locate firefox.exe. This is done to create a file that drops JS_URSNIF.DJ. Similar to BKDR_URSNIF.B, BKDR_URSNIF.DN is designed to monitor specific US banking and financial sites.

If the said registry entry is not found, the malware will not perform its information stealing routines. However, it will still perform its other routines (backdoor communication etc.).

To steal information, this backdoor injects JS_URNSIF.DJ into monitored sites. Once affected users encode their login credentials into these sites, the malicious JavaScript gathers this data and sends it to specific remote URLs via HTTP POST.

Both backdoors (BKDR_URSNIF.B and BKDR_URSNIF.DN) communicate with several command and control (C&C) servers to send and receive commands from a remote user, thus further compromising the security of the infected systems.

During the course of our monitoring, we spotted additional targeted institutions in the configuration files. The following entities can be targeted using man-in-the browser attacks through webinjects functionality:

  • TDBank
  • Firstrade.com
  • Optionsxpress.com

Trend Micro has already informed and alerted the said institutions.

Prevalent Infostealers

Stolen information translates to profit for cybercriminals. In the past few days, we reported notable information-stealing malware such as PASSTEAL and PIXSTEAL, which have various information theft routines that further the ammunition used by cyber-criminals for data exfiltration operations. PASSTEAL employs a password recovery app to steal information stored on browsers. So even if users visit sites that have HTTPS or SSL connections, their credentials can still be stolen. On the other hand, PIXSTEAL steals image files.

Data exfiltration exhibited by Gozi and other banking Trojans like ZeuS is a continuing thorn in the sides of banking and financial institutions because this is “where the money is”. These sites are also considered as low-hanging fruits for cyber-criminals to take advantage of and exploit. Not only can regular online accounts by end users be targeted by these attacks, but also corporate and business accounts by small-medium businesses and even those by large enterprises.

Users are advised to remain vigilant against threats leveraging the reported institutions. It is also best to verify first with the institutions directly any email or notification received.

Moreover, we advise users to not totally get rid of paper or snail-mailed communications from banks e.g. account statements, because these can be used to counter-check their account vis-a-vis the presented funds online, which the malware/Trojans can alter so that users won’t suspect any foul play. Sad to say, cyber-criminals have also exploited the paperless campaign of online banking sites.

As always, Trend Micro Smart Protection Network protects users from this threat by detecting and deleting these files and blocking related C&Cs.

Additional analysis by Michael Cabel

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Probing the Gozi-Prinimalka Campaign

Read more: Probing the Gozi-Prinimalka Campaign

Story added 13. November 2012, content source with full text you can find at link above.