Tech

GozNym: The double-headed malware monster targeting US banks

The latest threat to the US banking system is hybrid malware with powerful offensive capabilities.

Written by Charlie Osborne, Contributing Writer April 15, 2016 at 3:39 a.m. PT

Banking Trojans Nymaim and Gozi ISFB have combined to create a new hybrid, GozNym, which has already become responsible for the theft of millions of dollars from banks.

According to IBM X-Force researchers, the operators of the powerful Nymaim Trojan have recompiled its source code with slices of the Gozi ISFB source code, which has created a "double-headed monster" hybrid malware which has improved capabilities.

The team says the banking Trojan is already actively used in attacks against financial institutions with the overall aim of compromising business accounts.

GozNym is currently being used in campaigns focused on at least 24 US banks, credit unions and e-commerce platforms, and has managed to steal "millions of dollars so far" in a matter of weeks.

Two financial institutions in Canada have also become victims of the hybrid malware.

Security

The source code for Gozi ISFB was leaked publicly in 2010, as well as 2015, when it was rumored a refined and modified version of the Trojan's code was made available. However, the only group known to have access to Nymaim's source code is its original development team, and so it may be that the cyberattackers have turned towards this leak to improve their own programs.

"The most likely scenario is that the Nymaim team obtained the leaked Gozi ISFB code and successfully incorporated it into their own malware to create a combination Trojan for financial fraud attacks," IBM says.

Internally, the source code merger has resulted in a banking trojan "where the two codes rely on one another to carry out the malware's internal operations," according to the security researchers.

The Nymaim Trojan is a malware dropper which usually compromises systems through exploit kits before executing a payload to steal credentials and user data. The malware, which has been linked to ransomware drops in the past, uses advanced techniques including encryption, anti-VM and control flow obfuscation to stay hidden.

However, in late 2015, IBM noticed Nymaium was pulling a Gozi module, a webinjection dynamic link library (DLL), to conduct internet banking attacks. The team said:

"Before merging into an actual hybrid, earlier versions of Nymaim used to fetch and inject Gozi ISFB's financial module as a complete DLL into the infected victim's browser to enable web-injections on online banking sites.
This malware is as stealthy and persistent as the Nymaim loader while possessing the Gozi ISFB Trojan's ability to manipulate Web sessions, resulting in advanced online banking fraud attacks."

This is far from good news for bank systems, especially as the malware has already proven its worth by stealing millions of dollars in such a short time frame. Malware hybrids are nothing new, but as cyberattackers evolve their attacks and techniques, financial institutions must also invest more heavily in protective measures to try and stop themselves becoming another victim.