Proofpoint researchers spotted new variants of the Gozi, also known as the Ursnif, banking trojan dubbed “Dreambot,” some of which now include Tor communication capabilities and or peer-to-peer (P2P) functionality.
Dreambot is still in active development and is spread via numerous exploit kits and via email attachments and malicious links, according to an Aug. 25 blog post.
Researchers believe the Tor-enabled versions have been active since at least July 2016 and despite having this function, few variants use it as the primary mode of communication with their command and control (C&C) infrastructure, the post said. It was noted that this feature may be utilized more frequently in the future and if so, would create additional problems for defenders.
This is because the nature of Onion sites make it more difficult to take down the command and control of the Tor-enabled variants, Proofpoint Director of Emerging Threats Sherrod DeGrippo said.
“In addition, because the communications are encrypted via the Tor protocol, it can be more challenging for researchers to observe the traffic and behavior on the network,” DeGrippo told SCMagazine.com via emailed comments.
Researchers also noticed a version of the malware which appears to use a peer-to-peer protocol to communicate.
“This protocol operates over TCP and UDP and uses a custom packet format,” the post said. “Due to the addition of this functionality, the client code surface is almost twice as big as that of the Tor version.”
Researchers are still investigating this functionality and did not provide additional details.
DeGrippo said the recent updates make the malware more difficult to detect once a user is infected.
“Protection comes from making sure machines on a network have all software updates, ensuring mail is scanned for malicious attachments and URLs and observing network traffic with intrusion detection to determine which machines are generating traffic of this type,” she said.