The “Gozi” Trojan is a well known piece of crimeware that has been around for a couple of years now. It is surprising to see that this one continues to be actively hosted and distributed. For example, malicious pdf currently are being served from various servers to vulnerable clients that exploit the reader and download “update.exe“. This file in turn, installs itself as “xrt_mwbn.exe” and runs various components that gather data off of the victim’s machine and sends it off to an nginx web server. The Secureworks writeup is a lengthy but thorough explanation of the data being sent off of systems. Needless to say, you don’t want this stuff on your system.
Please take a minute to update your third party plugins. The latest Adobe Reader can be found at the Adobe web site.
