Detect Gozi Banking Malware With Zeek!

Join the Old Grizzled FBI Agent to hear how to detect the Gozi Banking Malware Family with Zeek!

Corelight Blog:


00:00:10:47 – 00:00:41:11
Old Grizzled FBI Agent
Hi there. This is your favorite obligatory grizzled FBI agent again. You may wonder why I have my gun out. And this pair of binoculars. They’re here for my and your protection. Hah hah hah hah hah hah hah. Listen, I’m here to talk to you about a real serious subject. The Gozi banking malware family. Once again, the fine folks over at a company named Corelight,

00:00:41:15 – 00:01:05:45
Old Grizzled FBI Agent
they put together a blog on how to detect this malware family using Zeek. Zeek is an open source tool you can use to analyze your network data. So what you can do is you can write scripts to analyze your network data and look for signs of Gozi banking malware C2 traffic. I have a buddy over at Corelight Labs and his name is Keith Jones.

00:01:05:50 – 00:01:29:41
Old Grizzled FBI Agent
He has a podcast and it talks about electronic true crime cases. One of his episodes, he was covering the Gozi banking malware group. And after he was done, he wondered if he could detect that malware C2 on the network. And if you haven’t checked out his podcast, I’ll put a link here so you can go to the episode where I show up and I get to swear at the criminal.

00:01:29:46 – 00:01:53:38
Old Grizzled FBI Agent
It’s great, great stuff. I really recommend you check it out. All right, let’s get back to Gozi here. Then Doctor Jones went over to a website called Malware Traffic Analysis. And this is a really good website where they pick apart different types of malware and they give you the PCAPs, which are file representations of the network traffic when that malware was executed.

00:01:53:42 – 00:02:26:24
Old Grizzled FBI Agent
Now, according to the notes from malware traffic analysis, there are two types of traffic in Gozi C2 communications. The first is a really long URL over HTTP that is basically base64 string encoded, plus a little extra that we’ll talk about here in a minute. The other type of traffic, well, they’re accessing these files that look like RAR files.

00:02:26:24 – 00:03:03:42
Old Grizzled FBI Agent
And you’ll see VNC rar this other one that I probably can’t even pronounce correctly in the middle called stilak and then one at the bottom down there called cook. And then they have different versions with 32 and 64. So for instance you have VNC 32 dot RAR, A VNC 64 dot RAR. Keith was telling me that he thought it would be too simple to search for these RAR files to find this malware, but when they searched their customer historical logs every time these RAR files were observed, there was malware involved!

00:03:03:47 – 00:03:31:18
Old Grizzled FBI Agent
So this is one method that Corelight will use to detect the Gozi banking malware. Now let’s address these really long base64 encoded URLs I talked about previously. Now these really long URLs that are base64 encoded, they usually start with a directory that is a normal English word like uploaded. Now uploaded is what we’re going to use in the example here,

00:03:31:18 – 00:03:57:46
Old Grizzled FBI Agent
but we see in other words used out in the wild. Now another thing Gozi will do is throw in random forward slashes to make it look like a normal URL. These forward slashes in the end, Gozi will just throw them out. Now base64 has four characters a plus, a forward slash, a new line, and a carriage return that are encoded a little differently in the URL.

00:03:57:51 – 00:04:33:39
Old Grizzled FBI Agent
Gozi encodes them as a underscore two b, underscore two f, underscore zero a, and underscore zero d. So if you put all that information together you get a regular expression kind of like this. Now Gozi will use a lot of forward slashes where most normal URLs will not. If we put a condition to see at least ten forward slashes on our regular expression, that’ll help eliminate any false positives that we see in practice.

00:04:33:44 – 00:05:00:53
Old Grizzled FBI Agent
Use this command to search all your Zeek logs for Gozi, assuming you save your Zeek logs in t s v format. Next in this blog, Corelight shows you the Zeek code that they wrote so you could detect Gozi live on your network as it happens. Now it looks like a lot of source code, and it is. But there’s only two things you really need to know.

00:05:00:58 – 00:05:34:54
Old Grizzled FBI Agent
The first is here are the two regular expressions that I discussed earlier that will cover the RAR files and the long base64 encoded URLs. The second thing you need to know is we’re only handling the HTTP request event, and once we match these regular expressions that I just discussed inside this event, we fire a notice and we write the Gozi malware payload to a Gozi dot log.

00:05:34:59 – 00:05:59:14
Old Grizzled FBI Agent
Now you’ll notice in the code here that Corelight has put a check in for entropy and says the payload has to have entropy of at least four. This is because Gozi’s payload is encrypted and encrypted data has higher entropy. And your next question should be hey grizzled FBI agent, are there any variants of Gozi that this logic will detect?

00:05:59:19 – 00:06:21:37
Old Grizzled FBI Agent
And the answer is yes. Here’s a half dozen here. And there are probably more variants out there that we don’t even know about. So this logic will detect other malware families that have them based upon Gozi. Now, if you install the Zeek code at this link and then you run it on the PCAP that we discussed earlier, you’re going to get a Gozi dot log like this.

00:06:21:42 – 00:06:49:33
Old Grizzled FBI Agent
And you can see the colored areas here, this is the Gozi payloads that we talked about earlier. You can see the base64 encoded URLs here. And then you can see the RAR files down here. So all of this is clearly Gozi traffic. And if you open your notices log you’ll find some detections in there as well. You can see they’re very similar to the Gozi dot log that I just showed you earlier.

00:06:49:38 – 00:07:06:24
Old Grizzled FBI Agent
And before we conclude please like and subscribe. Okay. Well, this old grizzled FBI agent wants to thank you for checking out my video. I really hope you come back and you check out one of my other videos soon. Thanks. Bye.

Leave a Reply

Your email address will not be published. Required fields are marked *