Two Heads Are Better Than One: Going Under the Hood to Analyze GozNym

This post was co-authored with IBM X-Force researcher Lior Keshet.

---

In April 2016, IBM X-Force Research exposed a malware hybrid that combines the Nymaim downloader and the Gozi Trojan’s financial fraud module, naming that new banking malware GozNym.

The inner workings of GozNym are quite interesting. This post is an overview of the GozNym Trojan’s main structure, with added details on its fraud-facilitating components as determined by X-Force Research.

A Two-Headed Beast

 Gozi (ISFB)

Gozi, also known as ISFB or Ursnif, is a financial Trojan that has had its source code leaked twice. The first and most significant leak took place in 2010, and the second occurred in late 2015. The essential parts of the Gozi code have been widely used in the past few years and are still being used by a variety of cybercriminals today.

Gozi remains popular due to the effectiveness of the source code and its modularity. Two noteworthy modules that keep this malware relevant are:

Gozi’s main module, which enables injecting the financial module into web browsers, communicates with the command-and-control (C&C) server and ensures its operational and stealth functions; and

The financial module, which is injected into browsers and used for deploying malicious webinjections, among other actions.

Nymaim

The Nymaim malware has been around since 2011 and was always known to be deployed in combination with additional malware. This kind of Trojan is usually referred to as a downloader.

In its early days in 2011, Nymaim was used exclusively for dropping ransomware — way before ransomware became as prevalent as it is today. While Nymaim’s operators have touched on financial malware since then, they never stuck with any specific banking Trojan until 2015.

GozNym Emerges

In late 2015, IBM X-Force researchers started detecting stealthy malware infection campaigns in which Nymaim downloaded the Gozi Trojan and then used it in fraud attacks on online banking customers. These campaigns prompted a more detailed investigation of Nymaim’s malicious activity and eventually led researchers to discover Nymaim’s new hybrid form, which was named GozNym.

That deployment mode changed in early 2016, when X-Force researchers noticed a subtle yet significant modification in this malware’s code: Nymaim began using a modified version of Gozi’s financial module and embedded it into the actual code. This version of the module is only usable in combination with another piece of code that was injected into the browser. By making this change, Nymaim was no longer a mere downloader used for running other pieces of malware. Rather, it became a hybrid banking Trojan that stands on its own and is detected as such.

Since taking on its hybrid form, X-Force researchers have been paying close attention to GozNym. They have observed that it has become one of the most active players in the financial malware arena with capabilities such as redirection attacks, which are typical reserved for elite cybercrime gangs such as Dridex.

Read more of this post and find out about GozNym’s activity here.