Related Families: Gozi (Ursnif)
Verticals Targeted: Financial
Executive Summary
Bleeping Computer recently reported on a malware campaign that uses CAPTCHA to bypass browser warnings and deliver Gozi. This technique appears to be a novel TTP for threat actors.
Key Takeaways
- A new malware campaign was observed leveraging CAPTCHA to trick victims into bypassing browser warnings.
- The campaign uses a decoy video to download a malicious file and uses a victim’s interaction with a fake reCAPTCHA to bypass browser warnings, accepting the file download.
- The file downloaded is an executable that leads to the delivery of the Gozi payload.
The Campaign
Bleeping Computer recently reported on a malware campaign leveraging CAPTCHA to trick victims into bypassing browser warnings. The campaign uses this technique to deliver a Gozi payload. This technique appears to be a novel TTP for threat actors.
The suspicious URL used in the campaign downloads a file when a victim attempts to watch an embedded YouTube video. While the video will appear legitimate to the victim, when the victim presses the play button, a file named console-play.exe is downloaded in the background.
Chrome browsers will warn the victim that the file is potentially malicious due to it being an executable. To bypass this warning, the threat actors use a reCAPTCHA to trick the victim into pressing B, S, Tab, A, F and Enter. While the letter keys do nothing, pressing the Tab key Tab targets the Keep option on the browser warning, and Enter causes the browser to download the file to the victim’s computer. The video on the page will then play, convincing victims of the completed CAPTCHA-initiated playback.
The goal of this campaign is to deliver a Gozi (Ursnif) payload. If the victim runs the executable, a folder is created, and numerous files are installed. All of the installed files are decoys, with the exception of BouncyDotNet.exe. BouncyDotNet.exe is launched and reads strings from Windows Registry to launch PowerShell commands. The commands compile a .NET application that launches the Gozi DLL.
What is Gozi?
Gozi, also known as Ursnif, is an info stealer and was once the most widely spread banking trojan. It has been active in the wild since at least 2015 and was made publicly available on GitHub after the source code was leaked. Gozi is capable of stealing information, including computer data, computer name, OS version, and user credentials. It communicates with a C2 to download additional components or payloads and allows remote execution of threat actor commands. Newer Gozi variants have been observed operating as a backdoor to distribute other malware, such as ransomware.
IOCs
PolySwarm has a Gozi sample associated with this campaign.
e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464
You can use the following CLI command to search for all Gozi samples in our portal:
$ polyswarm link list -f Gozi
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports