Banking trojans, like ransomware, have become big business today. And the people behind all of these malicious products are always moving forward, innovating with the times in an effort to keep up with technology and victims.
There is a virtual smorgasbord of malware out there just looking for ripe pickings. One is the Gozi Banking Trojan, which injects its code into the operating system via the browser. With Windows 10 being offered (pushed) for free, malware makers are scrambling to cover the adoption rate by updating their products.
One is the Gozi Banking Trojan which has just received an update to make it friendly with both Windows 10 and its new Edge browser. Given that most users opt for the default browser in Microsoft’s operating system, this makes perfect sense.
Researchers at the X-Lab at IBM found that “the malware’s developer has found a new way to use the same overall code injection mechanism on the Win10 Edge browser as it did on previous Windows OS versions. The code behind this new capability can now be injected into the MicrosoftEdgeCP.exe process, which is the Edge browser’s process”.
Essentially this attacks explorer.exe and its child processes, each of which is altered to maintain the infection. This can result in keylogging ability among other nasty things you don’t want on your PC. Now things have changed slightly.
That wasn’t entirely possible with Edge so the programmers came up with a new method of attack. “Gozi needed a new workaround for Windows 10. Its developer began by going to the new parent process and leveraging another process: RuntimeBroker.exe. The latter is the parent process of the Edge browser in Windows 10 machines”, states researcher Or Safran. “According to the research of Gozi’s new capability, the malware’s developer has found a new way to use the same overall code injection mechanism on the Win10 Edge browser as it did on previous Windows OS versions. The code behind this new capability can now be injected into the MicrosoftEdgeCP.exe process, which is the Edge browser’s process”.
The Gozi Baking Trojan was first detected back in 2007, making it one of oldest in the business. Parts of its code have since been used in other malicious software. Security researchers will continue to monitor this latest iteration of Gozi and attempt keep users one step ahead.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.