Friday, May 2, 2025
HomeMalwareNew Banking Trojan Steal Money From Bank Accounts by Abusing Windows OS

New Banking Trojan Steal Money From Bank Accounts by Abusing Windows OS

Published on

SIEM as a Service

Follow Us on Google News

A new dubbed Banking Trojan “Gozi” discovered that is capable of abusing windows users and stealing bank information from victims computer which has some advanced multi-component malicious programs future.

Gozi Banking Trojan Discovered Trojan.Gozi.64,which is used the same source code of the previous version of this malware and also added some advanced future that can infect both 32- and 64-bit Windows versions.

Trojan’s creator embedded a restriction into the malicious program that helps to perform its operation with Windows 7 and other latest version of windows computers.

- Advertisement - Google News

Also Read:  Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick

It is used separately downloaded plugins and it does not operate the malicious program in the very old version of Windows OS.

Gozi Banking Trojan used malicious plugins that have been discovered in Microsoft Internet Explorer, Microsoft Edge, Google Chrome, and Mozilla Firefox.

It can perform following malicious activities on the infected computers.

  • Check for any updates for the Trojan;
  • Download from remote server plugins for browsers used for web injections;
  • Download web-injection configurations from a remote server;
  • Obtain personal tasks, including those requiring the download of additional plugins;
  • Remote computer administration.

How does Gozi Banking Trojan Works

Initially, It installs the corresponding module to performing web injections in the browser once the victims install the malicious Plugins in their browser.

Later Gozi Trojan downloaded as a zip with help of command and control server which contains configuration for web injections.

Later Gozi injects the arbitrary content into user-viewed web pages which leads to fake authorization forms on bank websites and in online banking systems.

Since this web page modification directly performed into the infected computer the URL of whatever website is involved remains intact in the browser address bar.

A fake website that completely looks like a bank website Any data the user enters into a fake form is sent to cybercriminals.

According to Dr web, Along with this, some of aditional modules also will be downloaded into victims windows computer that may including remote access capability to injected victims computer, keylogger plugins,a plugin for stealing authorization data from mail clients, and some others.

Gozi Banking Trojan using baseconfig module which stored in a basic configuration that contains C&C’s and the master key to connecting to the server.

it contains some other modules as well, that has some interesting functions.

  • explorer.dll—the main module of the Trojan. It loads and executes the rest of the components using the basic plugins (bl.dll, rt.dll, netwrk.dll);
  • bl.dll—performing of web injections, various types of interactions with named Windows pipes, execution of files from the memory, encryption;
  • rt.dll—interaction with the Windows system registry, with files, operations with strings;
  • netwrk.dll—functions of operation with the network.

The module explorer.dll executes several task types:

  • Check for any updates for the Trojan;
  • Download from remote server plugins for browsers used for web injections;
  • Download web-injection configurations from a remote server;
  • Obtain personal tasks, including those requiring the download of additional plugins;
  • Remote computer administration.

IOC- SHA1

  • SHA1 loader stage 1
  • b974346e2b3a32720d4a214ca2b18a0032867f12
  • SHA1 loader.dll x32 stage 2
  • 1c8e47942eb0bdd32fe2883dee5953de6e06b9b8
  • SHA1 loader.dll x64 stage 2
  • 1a3bceab8c90779fd06760a037a347d21849fe3b
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

New MCP-Based Attack Techniques and Their Application in Building Advanced Security Tools

MCP, developed by Anthropic, allows Large Language Models (LLMs) to interface seamlessly with external...

Cyberattack Targets Iconic UK Retailer Harrods

Luxury department store Harrods has become the latest UK retailer to face a cyberattack,...

Nebulous Mantis hackers have Deployed the RomCom RAT globally, Targeting organizations.

Nebulous Mantis, also known as Cuba, STORM-0978, Tropical Scorpius, and UNC2596, is a Russian-speaking...

Why CISOs Are Adopting DevSecOps for Secure Software Development

CISOs adopting DevSecOps strategically enhance security measures while ensuring fast-paced software development, responding to...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New WordPress Malware Disguised as Anti-Malware Plugin Takes Full Control of Websites

The Wordfence Threat Intelligence team has identified a new strain of WordPress malware that...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...