Incident & Breach Response , Managed Detection & Response (MDR) , Next-Generation Technologies & Secure Development

New Hybrid Banking Trojan 'GozNym' Steals Millions

Ransomware Repurposed to Target Business Accounts
New Hybrid Banking Trojan 'GozNym' Steals Millions

A cybercrime gang has been using new malware to target business customers of banks in the United States and Canada and steal millions of dollars, primarily from business accounts, researchers at the IBM X-Force security group warn.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

So far, attackers have been focusing their attacks on business customers of 22 banks, credit unions and e-commerce sites in the United States, as well as two financial institutions in Canada, IBM's Limor Kessem, an executive security adviser, and Lior Keshet, a malware researcher, write in a blog post.

In just the first few days of April, the attackers successfully stole an estimated $4 million, IBM tells The Wall Street Journal.

IBM has not named which organizations' customers were targeted but says the organizations have been alerted to the malware campaign. After infecting a system, the malware can steal financial data and capture screenshots, then relay them to attackers, who will attempt to transfer money out of victims' accounts.

The attacks have been perpetrated using "a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware," the IBM researchers say. They note that Nymaim - a Trojan downloader that can also function as ransomware - appears to be maintained and used by a single, closed group. Gozi, a.k.a. Vawtrak, is a banking Trojan that first appeared in 2012. The source code for Gozi was leaked twice - first in 2010 and again in 2015.

Threat-intelligence firm iSight Partners, in a research note, says it's not clear if a single group is behind Nymaim, noting: "Nymaim has been and continues to be operated by a limited number of actors." But it adds: "We consider it entirely plausible that Nymaim's operators produced a new version incorporating much of Gozi's credential theft capabilities."

Nymaim: Ransomware Roots

Over the past month, according to security firm ESET, Nymaim has predominantly been infecting victims in the United States, Germany and Poland. The malware, first spotted in September 2013, can be used to download additional attack code as well as to lock computers and demand a ransom, ESET notes.

Security researchers say Nymaim formerly was primarily distributed through the now defunct Blackhole exploit kit, a.k.a. DarkLeech, as well as by attackers tweaking search engine results - so-called Black Hat SEO - to make them return highly placed, legitimate-looking links for various keywords. In reality, however, those links led to sites that were infected with Blackhole, and which then launched drive-by attacks against known vulnerabilities in web browser plug-ins, in an attempt to seize control of endpoints.

In late 2013 alone, more than 2.5 million Nymaim infections were due to Blackhole, the anti-malware researcher known as Kafeine reported.

But the Nymaim gang had to adjust its malware-distribution tactics after Russian authorities busted members of the Blackhole cybercrime gang in October 2013 (see Russia: 7-Year Sentence for Blackhole Mastermind). By 2014, many computers infected by Nymaim were also infected with Gozi and Ursnif, the Miuref Trojan, as well as Pony, a downloader that enables attackers to push additional attack code onto infected PCs, security firm Proofpoint says in a recent blog post.

The GozNym Blend

Beginning in early 2016, some Pony infections were executing Nymaim before fetching Gozi - a.k.a. Gozi ISFB - as part of a multistage attack, IBM says, noting that many firms classified these as Gozi attacks, even though the Nymaim group - and malware - appeared to be responsible.

At that time, Proofpoint reported that Nymaim was primarily infecting PCs with the Ursnif banking Trojan, which is primarily designed to steal sensitive data. It said the primary distribution mechanism was "email to send document attachments or URLs leading to documents" which, when opened, would download macros and install Nymaim.

Early this year, the merged version of Gozi and Nymaim first appeared, combining "the best of both," IBM says. In particular, GozNym can evade antivirus software, as well as record keystrokes and take screenshots, for example, while users browse banking websites. As with other modern banking malware, GozNym can also use web injections, which enable attackers to alter the appearance of a user's online banking account to hide real-time transfers that attackers might be making.

Security experts say that GozNym, like Nymaim, gets distributed both via malicious links - created on websites by exploit toolkits - as well as via malicious attachments to email messages. Once it infects a system, GozNym, like Nymaim, can be used to install additional code.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.