GozNym banking Trojan ramps up attacks, targets Europe

It is no longer just US banks that are the sophisticated Trojan's potential victims.
Written by Charlie Osborne, Contributing Writer

The operators behind the GozNym financial Trojan have been busy. After targeting US banks in a widespread campaign earlier this month, the cybercriminals have now set their sights on Europe.


According to IBM's X-Force security team, the hybrid malware is now being used in aggressive attacks against Europe including 17 major Polish banks, a Portuguese financial institution and corporate targets.

GozNym is a hybrid Trojan which binds the capabilities of the Nymaim Trojan and Gozi ISFB.

By bringing together the source codes of two powerful pieces of malicious code, the threat actors have managed to create what IBM calls a "double-headed monster" capable of bringing financial institutions to their knees.

Only a week ago, researchers uncovered an active campaign against at least 24 US and Canadian banks, credit unions and e-commerce platforms, leading to the theft of millions of dollars in only a few weeks.

GozNym not only acts as a malware dropper which steals user credentials but also implements encryption, anti-VM and control flow obfuscation to remain silent and avoid discovery. The Gozi bolt-on module increases the malware's power by adding a webinjection dynamic link library (DLL) which infects user browsers and is able to manipulate online banking sessions.

This isn't the end of the story. The perpetrators behind GozNym have now added a new configuration which includes the launch of redirection attacks against Poland in particular, and now close to 230 web addresses belonging to Polish banks and email providers are being targeted.

GozNym's redirection scheme is made up of two main avenues, the first being the redirection of unwitting victims before they even reach a bank's web domain to to a fake website which appears identical to the legitimate bank's website, which thereby bypasses a bank's security measures.

"By keeping victims away from the bank's site, the fraudster can deceive them into divulging critical authentication codes on the replica site, all without the bank knowing that the customer's session has been compromised," the team says.

The fraudulent website then captures the victim's credentials and two-factor authentication data, which is required to access the real bank account and steal funds.

The second part of the scheme reveals how sophisticated the cybercriminals are. By keeping each fraudulent domain on separate servers, the group is able to keep the scheme under wraps and makes the crime spree more difficult to map.

The campaign has shown no signs of slowing down, and IBM X-Force fully expects GozNym to become a "serious player" in the financial threat landscape.

"To help stop threats like GozNym, banks and service providers can use adaptive malware detection solutions and protect customer endpoints with malware intelligence that provides real-time insight into fraudster techniques and capabilities," IBM says.

"Users looking to prevent malware infections on their endpoints must keep operating systems up to date at all times, update frequently used programs and delete applications they no longer use."

Safari browser extensions you never knew you needed

Read on: Top picks

Editorial standards