Gozi Banking Trojan Upgrades Build to Inject Into Windows 10 Edge Browser

This post was co-authored with IBM X-Force researcher Or Safran.

---

IBM X-Force researchers have recently detected a new Gozi Trojan build propagated to endpoints in the wild.

Alongside some interesting changes made to the malware, the researchers reported that Gozi’s developer has successfully updated the Trojan’s code injection mechanism to implement form grabbing and web-injections in the Windows 10 Edge browser.

Since a Windows 10 operating system upgrade is offered to home users at no cost, which has triggered a rather vast adoption of the platform, malware authors are hurrying to update their codes to deploy on Windows 10 endpoints. Moreover, since Win10 comes with a new browser, Microsoft Edge, cybercriminals need the ability to seamlessly operate their malware on that software.

With the ability to inject the Trojan’s code into the operating system’s and the browser’s processes, cybercriminals can control the browser for monitoring victim activity, form grabbing and webinjections, which are among the most powerful tools criminals have against unsuspecting victims.

Within that context, Gozi is the most recent Trojan to achieve the ability to inject code into the Edge browser, but it is not the first.

Tinba v3 can inject code into the Edge browser as well, although it has not been able to deploy webinjections yet. Ramnit, too, can inject code into Edge and deploy webinjections on that browser. One of the better-known examples is the Dyre Trojan, which was reportedly upgraded for successful deployment on Windows 10 endpoints and code injection into the Microsoft Edge browser in November 2015, before the gang’s takedown.

Read on by browsing to the full blog post.