GozNym Malware, a new hybrid breed of malicious software has stolen roughly $4 million from 24 U.S. and Canadian banks over the first several days of April
Meet The GozNym Malware – The Banking Malware Offspring of Gozi ISFB and Nymaim. IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym Malware.
The GozNym malware works by targeting customers rather than the banks directly. The malware makes its way into users’ computers when the account holder clicks on attachments or links in emails, then remains hidden until the user accesses his or her bank account.
To help stop threats like GozNym Malware, banks and service providers can use adaptive malware detection solutions and protect customer endpoints with malware intelligence that provides real-time insight into fraudster techniques and capabilities, designed to address the relentless evolution of the threat landscape.
The new GozNym Malware takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The result is a wild new banking Trojan. Internally, GozNym Malware works like a double-headed beast, where the two codes rely on one another to carry out the malware’s internal operations.
At this time, the GozNym hybrid’s configuration is presently focused on the U.S., targeting 22 banks, credit unions and popular e-commerce platforms. Two financial institutions based in Canada are also on the list. GozNym Malware operators’ top target is business accounts.
GozNym Targets per URL Type (Source: IBM X-Force)
How was this hybrid created? GozNym’s source code is composed of two known malware codes, one of which is Gozi ISFB, which leaked in 2010. Gozi ISFB was actually leaked more than once: A second disclosure took place in late 2015, when a modified ISFB code was rumored to have been compromised yet again.
On the Nymaim side, the only group known to possess its source code is the original development team. The most likely scenario is that the Nymaim team obtained the leaked Gozi ISFB code and successfully incorporated it into their own malware to create a combination Trojan for financial fraud attacks.
Nymaim is a two-stage malware dropper. It usually infiltrates computers through exploit kits and then executes the second stage of its payload once it is on the machine, effectively using two executables for the infection routine.
The first merged variant, GozNym Malware, was detected in early April 2016, when new Nymaim samples came embedded with Gozi ISFB code and were recompiled into one malware. In the hybrid form, Nymaim is the first executable launched. It then launches the Gozi ISFB component as the second stage of the malware deployment.