Gozi is back… sophisticated Man-In-The-Browser Trojan with extensive HTML injection configuration file

After some silence, Gozi is back virtually unchanged to the last outbreak in November last year. The target list is almost identical to the variant we analyzed then.

For more information about Gozi, please refer to our in-depth report from November 2010 as all technical details are still valid.

Also the injected HTML (Man-In-The-Browser) is very similar to the one we analyzed before, however there are obviously new C&C servers and as the injected JAVASCRIPT Code runs within the banking website, all C&C servers need to have a valid SSL certificate as well.

The one we looked at was issued on February 10, 2011 (!)

Technically there is nothing new to report, which is good and bad at the same time. The good news is that our report from November 2010 is still fully accurate, the bad news is that this most probably means that the bad guys don’t need to innovate as they are successful enough with the current status-quo.

If you need more information, the decrypted configuration file, samples, … drop us an email here: labs@trustdefender.com.