Researchers discovered that the Gozi banking trojan has been making use of elusive “Dark Cloud” botnet for distribution in recent campaigns.
According to researchers at Cisco Talos, they have been monitoring the activities of the banking trojan for past six months and has discovered series of campaigns which are relatively low volume and targeted to specific organizations.
“These campaigns appear to be relatively low-volume, with the attackers choosing to target specific organizations. They do not appear to send large amounts of spam messages to the organizations being targeted, instead choosing to stay under the radar while putting extra effort into the creation of convincing emails, in an attempt to evade detection while maximizing the likelihood that the victim will open the attached files.”
Researchers observed that in the ongoing campaigns the distribution and C&C infrastructure stay active only for a specific period. The attackers use Dark Cloud infrastructure to quickly move into new domains and IP addresses not only for each campaign, even for individual emails which are part of the same campaign.
The trojan is distributed using malicious email campaigns which contain Microsoft word file as attachment functioning as malware downloader.
The attackers attempt to create emails which appear to be part of an existing email thread to convince victims of their legitimacy. In addition, they also create additional email subjects and accompanying bodies which were included with the malicious email.
“This is not something that is typically seen in most malicious email campaigns, and shows the level of effort the attackers put into making the emails seem legitimate to maximize the likelihood that the victim would open the attached file.”
When the word document is opened, it displays a decoy image claiming that the attached document was created using Office 365. It instructs victim’s to “enable editing” and “enable content” to view it.
If the victim follows instruction, the embedded macros will download and execute the malware from the attacker-controlled server.
The VBA macro is usually executed when the document is closed by the victim to bypass sandbox detection. The macro download HTA file from a web server and execute it without user’s concern.
You may be interested in reading: FlawedAmmyy RAT Targets Users via Massive Email Campaigns
Researchers analyzed more than 100 malicious Word documents in the campaign and found that majority of them are individualized. Although all of them appear similar, a slight difference exists in the hashes, VBA code or in the color of the decoy image.
Researchers also observed that in the majority of the campaigns the final payload is banking trojan based on the Gozi ISFB code base. In some cases payload from other malware families, such as CryptoShuffler, Sennoma and SpyEye were also observed.
The attackers use Dark Cloud botnet to overlap between the infrastructures used in the campaigns. The botnet uses fast flux technique which makes tracking of its backend infrastructure more difficult.
“One of the most prominent is the use of fast-flux techniques, which makes tracking the backend infrastructure more difficult. By frequently changing the DNS records associated with the malicious domains, attackers can make use of an extensive network of proxies, continuously changing the address of the IP being used to handle communications to the web servers the attacker controls.”
According to the analysis, it appears that the attackers are using proxies and host located in Eastern Europe, Asia, and the Middle East and avoid using proxies located in Western Europe, Central Europe, and North America.