20min.ch Malvertising Incident

Published on April 8, 2016 09:38 UTC by GovCERT.ch (permalink)
Last updated on April 8, 2016 10:16 UTC

With this blog post we would like to share Indicators Of Compromise (IOCs) related to the attacks against 20min.ch, a popular newspaper website in Switzerland which got compromised and abused by hackers to infect visitors with an ebanking Trojan called Gozi ISFB. The IOCs shared in this blogpost may be used to spot infections within corporate networks.

The compromise of 20min.ch is just one part of a bigger malvertising campaign that is targeting Swiss internet users since at least spring 2015, The goal of the campaign is to infect Swiss citizens with Gozi ISFB and committing ebanking fraud (see Swiss Advertising network compromised and distributing a Trojan and Gozi ISFB - When A Bug Really Is A Feature). MELANI / GovCERT.ch is aware of thousands of computers that got infected by Gozi ISFB in the past months and subsequently were used to access ebanking accounts without the victim’s consent.

We are aware that this Gozi campaign is not only targeting Swiss citizens, but also corporate bank accounts of small- and medium businesses in Switzerland. We therefore recommend SMBs in Switzerland to review their IT-Security arrangements accordingly (see our recommendations at the end of the blog post).

Below is a list of IOCs associated with this Gozi ISFB campaign.

Exploit Kit infrastructure (used to distribute Gozi ISFB):

Gozi C&C DGA domains:

Gozi C&C IP address:

Gozi bootstrap server:

Malware sample:
MD5 d4528a53acc47d8ed14b11a2484b83ea
SHA256 582004916eaa13ac0b8bf717840b696b6d71644264bd95613c6c8bf26c49f657

The infection chain is as follows:

  1. The swf file on 20min.ch contains an embedded Javascript which does a basic fingerprint using User Agent and Cookie. Based on this information a decision is made whether to redirect to the infection site or not.
  2. Redirect to the exploit Kit where a VB Script is downloaded with another check which exploit would suit the target
  3. Infect the device with Gozi in the form of a .dll that is made persistent via registry key (rundll) under HKEY\CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The dll resides in the %APPDATA% folder of the user.

We are notifying Internet Service Providers (ISPs) and network owners in Switzerland about Gozi infections in their IP space that we become aware of. If you get informed by your ISP about such an infection, we highly recommend you to clean up the infected machine by reinstalling the operating system. Please consider that not all Antivirus software is able to spot a Gozi infection. Hence a full reinstall of the operating system is recommended.


You can find further documentation how to prevent getting infected by malware below.

For end users:

Informationen für Private

Informations pour des utilisateurs privés

Informazioni per privati

For small and medium businesses:

Merkblatt IT-Sicherheit für KMUs

Sécurité informatique: aide-mémoire pour les PME

Promemoria sulla sicurezza informatica per le PMI

Further reading on this Gozi campaign:

Swiss Advertising network compromised and distributing a Trojan

Gozi ISFB - When A Bug Really Is A Feature

Back to top