Group-IB has been tracking the Gozi banking Trojan since its early days. During recent threat hunting operations, we detected
a new sample of the Trojan in the wild, on June 14
. As soon as we conducted an in-depth investigation, we realized that the methods and techniques used had no relationship with those seen so far.
We are aware that reading articles on reverse engineering is often tedious and even difficult, which is why we will look at the latest version at a high level.
The kill chain resembles a matryoshka doll. All the stages are executed in memory by downloading, uncompressing and unpacking different stages, without directly dropping files to disk.