GozNym financial trojan shifts sights to European banks
A hybrid attack, GozNym combines the stealthy characteristics of Nymaim, and the banking Trojan capabilities of Gozi ISFB to create a powerful new Trojan.
The malware is now being used in an aggressive campaign against Europe, including 17 major Polish banks, one Portuguese financial institution and various corporate and SMB targets, according to IBM's X-Force security team.
This attack configuration has one of the widest attack scopes Poland has ever seen, with close to 230 URLs targeting the websites of community banks and webmail service providers in the region.
In the first half of April this year, IBM researchers uncovered an active campaign against more than 24 US and Canadian banks, credit unions and e-commerce platforms, leading to the theft of millions of dollars in only a few weeks.
GozNym is a malware dropper which steals user credentials, while also implementing encryption, anti-VM and control flow obfuscation to remain silent and avoid discovery.
Although redirection schemes have already been successfully implemented in real-world attacks by Dyre and Dridex, the team behind the GozNym hybrid designed its own special scheme to keep the attacks hidden from security personnel by using a fraudulent website.
GozNym's redirection scheme leads unwitting victims to a fake website – usually via a malware-laden spam email - which appears identical to the legitimate bank's website, which thereby bypasses a bank's security measures. There the attackers capture the victim's credentials and two-factor authentication data, which are required to access the real bank account and steal funds.
The IBM X-Force team said it was clear the GozNym Trojan is evolving quickly to become a serious player in the financial threat landscape, and financial institutions should prepare for an increase in such attacks, particularly directed at larger banks.
Read more:New research identifies poor incident response and unpatched vulnerabilities
In addition to malware detection solutions and protect customer endpoints, IBM recommended users looking to prevent malware infections on their endpoints “must keep operating systems up to date at all times, update frequently used programs and delete applications they no longer use”.
“Preventing Trojan infection includes disabling ads and avoiding susceptible sites typically used as infection hubs. Never clicking on links or attachments in unsolicited emails is also critically important,” writes Limor Kessem, executive security advisor with IBM, on the X-Force team blog.