Gozi Banking Trojan is back, Targeting Window 10’s Edge Browser!

Gozi Trojan was first discovered by security researchers in 2007. The authors of this harmful Trojan did a lot of work on it for five years and then attacked on the machines of various countries. Many computer systems from Germany, France, Italy, Finland, Turkey and United States were affected by this Trojan. To target the systems of above countries, criminals used “Gozi v1” Trojan. The source code of this Trojan had been leaked by its developers in 2010.

The Gozi Trojan is back again. It has many new features and that is the reason why it is more harmful now. This Trojan is targeting Edge Browser of Windows 10. Before Edge browser, Tinba v3, Dyre and Ramnit were the targets of Gozi Trojan.

This Trojan has two new features:

1. It is capable to create fake content by injecting malicious codes into the browser.

2. Authors of this Trojan are very intelligent and they have coded it in a way that it can infect an Edge Browser very easily.

As we know Microsoft has added “Edge Browser”, in Windows 10. The cybercriminals behind Gozi Browser are using an older mechanism of code injection, into “MicrosoftEdgeCP.exe” process of Edge browser. Criminals behind this Trojan are using C&C severs (Command and Control) to control it. Gozi Trojan is capable to send commands to that Process of Edge Browser, from where it can see all the history of Browser and can steal cookies. All this happened from the “RuntimeBroker.exe” process of Edge. Gozi Trojan first targets the "RuntimeBroker.exe" process, from where it got direct access to “MicrosoftEdgeCP.exe” process.

The Trojan is hard coded by the Criminals and it can recognize the banking portals, when user fills banking details into form of Banks. Many banks of United States also has been affected by this Trojan.

This Gozi v2 Trojan was launched by the criminals in 2013. A number of developers were arrested by the security agencies at that time, which were writing codes for this Trojan. After that, a Master Boot Record (MBR) had been added by the criminals in Gozi for high persistency. This gave some extra features to “Gozi v2” as compare to “Gozi v1”.

In “Internet Explorer” “iexplorer.exe” process was injected by the criminals but in Edge Browser criminals are injecting “MicrosoftEdgeCP.exe” process. Before internet Explorer, This Trojan had infected Chrome, Opera and many other browsers in Past. Gozi Trojan have these three functions: (i) kernal32!CreateProcessA (ii) kernal32!CreateProcessW (iii) kernal32!CreateProcessAsUserW

EdgeHTMl 13 has been introduced by Microsoft to boost the security of Browser. Security Researchers at IBM have discovered a number of Edge Browsers infected by this Trojan in South Africa, UK and United States.