14 DAY TRIAL // The infamous Gozi banking trojan has just added support for Windows 10's Edge browser, updating its codebase to handle the discrepancies between Win10 and Microsoft's past OS versions.
The Gozi banking trojan first appeared on the malware scene in 2007, operated by a very small group of developers, targeting only English-speaking users.
After a developer accidentally leaked Gozi v1's source code online in 2010, the group started work on Gozi v2, an entirely new threat that had the ability to inject code right inside the browser and create fake content and overlay it on top of legitimate banking portal Web pages.
Gozi v2 was launched in 2013, the year in which some of its coders were also arrested by authorities. This setback was temporary, and the trojan continued to evolve, adding an MBR rootkit component and spawning different variations, from both v1 (Vawtrak and Neverquest) and v2.
Gozi updates source code to target Edge users
According to the IBM X-Force team, the trojan has now added the ability to infect the new Microsoft Edge browser.
Theoretically, Gozi worked quite fine on Windows 10, since it relied on the explorer.exe process to infiltrate the processes spawned by Web browsers.
This was not the case for Edge because the browser's process didn't spawn from explorer.exe, but from RuntimeBroker.exe. This technicality meant that Gozi could not infiltrate Edge's core, despite being able to do it to more mature browsers like Firefox, Chrome, or Opera.
As the IBM team observed, the latest Gozi trojan now also targets the RuntimeBroker.exe process, from where the main Edge process, MicrosoftEdgeCP.exe, is spawned to launch the browser.
Once able to send commands to the Edge browser process, from here on out is regular business for Gozi, who goes on to watch the user's browser history, and intervene every time he sees the user navigating to a known banking portal.
When the user does so, using an internal database of fake login pages, Gozi will instruct the Edge browser to show its Web page instead of the real one, allowing it to intercept and then relay (to the real bank) the user's login details.
Currently, IBM is reporting on an ongoing Gozi campaign that's targeting users in the UK, the US, and South Africa. The variant has Edge support, but the good news is it's also detected by more than half of antivirus engines on VirusTotal.
Gozi is not the first banking trojan to add Windows 10 and Edge support. The first was Dyreza, a variation of the Dyre banking trojan, which added it last November.
