The source code of the bot Gozi leaked to the network
Subj, the source package of the Gozi ISFB bot (aka Ursnif) is publicly available and is available to everyone. The Ursnif malware is a serious enough tool for working with http and https traffic on a victim's computer; it contains 32-bit and 64-bit payload components for integrating them into various working processes of web browsers such as Google Chrome, Microsoft Internet Explorer , Mozilla Firefox, as well as the preferred Services Manager service process.
Ursnif began to be actively used by cyber criminals five years ago, and its very first versions were released back in 2008. The attackers actively used the Blackhole exploit kit exploit to distribute the Trojan droppers. Recently we wrote that the author of Blackhole himself received seven years in prison. Gozi or Ursnif was used by attackers as a thief of various information on the victim's system, including credentials of services such as FTP, Telnet, POP3, and IMAP.
')
The set of source texts contains a fairly detailed description of the functions performed by the bot, as well as the purpose of its various components and files. Operators manage Ursnif through a command C & C server, passing it instructions. The configuration files and command sets passed to the bot are signed using the asymmetric RSA algorithm. If such files are incorrectly signed, the bot discards the data sent to it.
Fig. Information about the part of the Ursnif project from the Readme file.
The bot uses encryption of droppers and DLL files used as payloads, which complicates their analysis by antivirus analysts. As an example, the following Gozi files.
Dropper file link .
Decrypted dropper body link .
Extracted 32bit dll file link .
Extract 64bit dll file link .
Gozi uses the following trusted registry key to register the HKLM \ System \ CurrentControlSet \ Session Manager \ AppCertDlls payload. It also intercepts a number of system functions of various Windows libraries to gain control over system functions:
Since Gozi is embedded in the Windows Explorer process, it can control the creation of all the processes of interest to it, including the aforementioned web browsers, by intercepting the CreateProcess and CreateProcessAsUser functions. An example of such an interception is shown below.
Fig. Part of the source code of the kernel32! CreateProcess hook function. The presence of the _KERNEL_MODE_INJECT macro indicates a possible rootkit component of the bot.
Fig. Information about the assembly project.
According to IBM Security researchers, a hybrid of this malicious program, the Nymaim Trojan, has already been created on the basis of the source code of Gozi, more about this can be found here . ESET antivirus products detect Gozi as Win32 / PSW.Papras .
Ursnif began to be actively used by cyber criminals five years ago, and its very first versions were released back in 2008. The attackers actively used the Blackhole exploit kit exploit to distribute the Trojan droppers. Recently we wrote that the author of Blackhole himself received seven years in prison. Gozi or Ursnif was used by attackers as a thief of various information on the victim's system, including credentials of services such as FTP, Telnet, POP3, and IMAP.
')
The set of source texts contains a fairly detailed description of the functions performed by the bot, as well as the purpose of its various components and files. Operators manage Ursnif through a command C & C server, passing it instructions. The configuration files and command sets passed to the bot are signed using the asymmetric RSA algorithm. If such files are incorrectly signed, the bot discards the data sent to it.
Fig. Information about the part of the Ursnif project from the Readme file.
The bot uses encryption of droppers and DLL files used as payloads, which complicates their analysis by antivirus analysts. As an example, the following Gozi files.
Dropper file link .
Decrypted dropper body link .
Extracted 32bit dll file link .
Extract 64bit dll file link .
Gozi uses the following trusted registry key to register the HKLM \ System \ CurrentControlSet \ Session Manager \ AppCertDlls payload. It also intercepts a number of system functions of various Windows libraries to gain control over system functions:
- CreateProcessAsUser (A / W)
- CreateProcess (A / W)
- CryptGetUserKey
- InternetReadFile
- HttpSendRequest (A / W)
- InternetReadFileEx (A / W)
- InternetCloseHandle
- InternetQueryDataAvailable
Since Gozi is embedded in the Windows Explorer process, it can control the creation of all the processes of interest to it, including the aforementioned web browsers, by intercepting the CreateProcess and CreateProcessAsUser functions. An example of such an interception is shown below.
Fig. Part of the source code of the kernel32! CreateProcess hook function. The presence of the _KERNEL_MODE_INJECT macro indicates a possible rootkit component of the bot.
Fig. Information about the assembly project.
According to IBM Security researchers, a hybrid of this malicious program, the Nymaim Trojan, has already been created on the basis of the source code of Gozi, more about this can be found here . ESET antivirus products detect Gozi as Win32 / PSW.Papras .
Source: https://habr.com/ru/post/281787/
All Articles