Two Heads Are Better Than One: Going Under the Hood to Analyze GozNym
This
post was co-authored with IBM X-Force researcher Lior Keshet.
---
In April
2016, IBM X-Force Research exposed a malware hybrid that combines the Nymaim
downloader and the Gozi Trojan’s financial fraud module, naming that new
banking malware GozNym.
The
inner workings of GozNym are quite interesting. This post is an overview of the
GozNym Trojan’s main structure, with added details on its fraud-facilitating
components as determined by X-Force Research.
A Two-Headed Beast
Gozi (ISFB)
Gozi,
also known as ISFB or Ursnif, is a financial Trojan that has had its source
code leaked twice. The first and most significant leak took place in 2010, and
the second occurred in late 2015. The essential parts of the Gozi code have
been widely used in the past few years and are still being used by a variety of
cybercriminals today.
Gozi
remains popular due to the effectiveness of the source code and its modularity.
Two noteworthy modules that keep this malware relevant are:
Gozi’s
main module, which enables injecting the financial module into web browsers,
communicates with the command-and-control (C&C) server and ensures its
operational and stealth functions; and
The
financial module, which is injected into browsers and used for deploying
malicious webinjections, among other actions.
Nymaim
The
Nymaim malware has been around since 2011 and was always known to be deployed
in combination with additional malware. This kind of Trojan is usually referred
to as a downloader.
In its
early days in 2011, Nymaim was used exclusively for dropping ransomware — way
before ransomware became as prevalent as it is today. While Nymaim’s operators
have touched on financial malware since then, they never stuck with any
specific banking Trojan until 2015.
GozNym Emerges
In late
2015, IBM X-Force researchers started detecting stealthy malware infection
campaigns in which Nymaim downloaded the Gozi Trojan and then used it in fraud
attacks on online banking customers. These campaigns prompted a more detailed
investigation of Nymaim’s malicious activity and eventually led researchers to
discover Nymaim’s new hybrid form, which was named GozNym.
That
deployment mode changed in early 2016, when X-Force researchers noticed a
subtle yet significant modification in this malware’s code: Nymaim began using
a modified version of Gozi’s financial module and embedded it into the actual
code. This version of the module is only usable in combination with another
piece of code that was injected into the browser. By making this change, Nymaim
was no longer a mere downloader used for running other pieces of malware.
Rather, it became a hybrid banking Trojan that stands on its own and is
detected as such.
Since
taking on its hybrid form, X-Force researchers have been paying close attention
to GozNym. They have observed that it has become one of the most active players
in the financial malware arena with capabilities such as redirection attacks,
which are typical reserved for elite cybercrime gangs such as Dridex.
Read
more of this post and find out about GozNym’s activity here.
Comments
Post a Comment