New Gozi Trojan Version Can Bypass Some Behavioral Biometrics Defenses

Share this…

New Gozi campaign targets Japan, Spain, Poland. The latest version of the Gozi banking trojan that’s currently under development comes with a few tricks up its sleeve, including an increased role for malicious human operators during the infection process and the ability to bypass some behavioral biometrics defenses.

This new Gozi version is currently active in countries such as Japan, Spain, and Poland, and it targets financial organizations such as PayPal, CitiDirect BE, ING Bank, Société Générale, BNP Paribas, the Bank of Tokyo, and many more.

New Gozi version detected

According to buguroo, this version of Gozi is not associated with GozNym, another banking trojan that spun off from the Gozi source code leaked online in 2015.

This new Gozi version uses Web injection attacks, as the original Gozi strain. GozNym also used Web injection attacks but switched to redirection attacks in June.


Web injection attacks rely on malicious DLLs loaded in the user’s browser to show overlays on top of a Web page when the victim is visiting a banking portal supported by the trojan’s modules.

Each Gozi module supports a Web injection package that shows a fake page on top of the original banking portal. It’s basically a Web injection module for each targeted financial institution.

These modules can collect login credentials for the banking portal during the login process, but they can also hijack the payment transfer page.

Gozi updated with support for human operators

Some of these Web injection attacks work in real time, with a crook at the other end of the line, deciding to what “mule” account to redirect stolen money, and what sum. There are cyber-crime infrastructures to hire on the Dark Web that provide support centers for these types of operations.

In the recent Gozi infections, buguroo says it detected such behavior. Gozi is not the first trojan to use human operators when dealing with Web injection attacks.

For smaller accounts, the Gozi trojan was still automated, selecting a random mule account and fixed payment sum, but when the trojan infected high-value targets, a human operator took over and decided to which “mule” account to transfer the cash, along with a higher sum, if possible. This was specific to situations where the crooks infected business accounts.

Gozi adds support for bypassing basic behavioral biometrics defenses

Banks are constantly fighting back against banking trojans like Gozi and their complex cyber-crime infrastructure. Some of them have deployed behavioral biometrics solutions that record the speed and cadence at which users type and move the cursor between input fields. Security researchers say that this new Gozi version logs these values as well.

“The malware uses these values to fill the necessary fields to perform the fraudulent transfer in what appears to be an attempt to bypass protection systems based on biometrics of user behavior,” buguroo explains.

Specifics about this new Gozi variant will be presented at the Black Hat USA 2016 security conference taking place in Las Vegas. Details include a breakdown of the Web injects, C&C communication technicalities, and a comparison with the Gootkit trojan.