After the Canadian and American financial institutions, from which it managed to extricate the tidy sum of 4 million dollars last month, the hybrid Trojan GozNym is now interested in European banks.
A newcomer to the Trojan market, GozNym combines the stealth characteristics of Nymaim with the capabilities of the Gozi ISFB Trojan specialized in targeting the banking sector, making it a powerful attack vector. According to IBM’s X-Force security team, the malware is now being used in a large campaign against European financial institutions, including 17 major Polish banks, a Portuguese financial institution, but it also targets various businesses and SMEs. The very wide attack spectrum of the malware is a first in Poland: nearly 230 URLs target the websites of Polish retail banks and email service providers.
During the first half of April, IBM researchers found that the hybrid Trojan was being used to conduct a massive campaign against more than 24 US and Canadian banks, credit institutes and e-commerce platforms, and that he had managed to steal millions of dollars in just a few weeks. GozNym is very subtle: it is able to copy user credentials, but it also knows how to encrypt data, protect itself from virtual machines and control the jamming of streams to remain discreet and avoid being unmasked.
Fake banking sites to deceive customers
Some redirection procedures have already been successfully used by Dyre and Dridex in real attacks, but the authors behind the GozNym hybrid Trojan gave the malware special abilities that allow it to mask its attacks and operate without being detected by security specialists. The whole strategy is based on the use of a fraudulent website. GozNym’s redirect unwittingly directs victims to a fake site – usually via spam-embedded malware – that looks like a peacock in the bank’s online site, bypassing bank security measures. Then the attackers only have to retrieve the credentials provided on the fake site by the victim and the two-factor authentication data, necessary to access the real bank account and steal money.
According to IBM’s X-Force team, there is no doubt that the Trojan GozNym is becoming a serious threat to financial institutions, and they should be prepared to counter increasingly frequent attacks, the big banks in particular. In addition to malware detection and endpoint protection solutions, IBM recommends that users who want to avoid becoming infected with malware “systematically update their operating system and commonly used applications with latest version available, and to remove applications they no longer use”.
Beware of attachments
On the X-Forme team blog, Limor Kessem, IBM Security Advisor, also writes that “To prevent Trojan infection, it is important to disable advertisements and avoid sensitive sites commonly used like basis of infection. He also recalls that it is essential never to click on links or attachments contained in unsolicited emails.