GozNym Closure Comes in the Shape of a Europol and DOJ Arrest Operation
Two
and a half years after the initial arrest of a major member of the GozNym
cybercrime gang, Europol and the U.S. Department of Justice (DOJ) joined forces
to reach additional gang members who used the Trojan to pilfer large amounts of
money from companies in the U.S. The operation was crowned “unprecedented,”
having successfully dismantled what was left of the gang that attempted to
steal well over $100 million.
A Two-Headed Beast Emerges
In
April 2016, IBM X-Force researchers came across a new banking Trojan that
seemed a little too familiar. After taking a closer look at what seemed to be a
pretty sophisticated, modular code, our team announced that a Trojan hybrid was
spawned from the Nymaim and Gozi ISFB malware.
X-Force
named it GozNym, representing its two major components, having realized that
the likely operators of Nymaim — a malware loader used mostly in ransomware
attacks — recompiled its source code with part of the Gozi ISFB source code,
creating a combination that they launched into attacks targeting the customers
of more than 24 U.S. and Canadian banks. GozNym-facilitated fraud attacks
amounted to over $4 million in losses within the first few days of its
activity.
What
was the purpose of this odd combination? It is likely that those behind the
GozNym project aimed to marry the best of both Nymaim and Gozi ISFB to create a
powerful new Trojan. GozNym leveraged the Nymaim dropper’s stealth and
persistence and the Gozi ISFB parts added the banking Trojan’s modules and its
capabilities to facilitate wire fraud on infected user devices.
Technical
information about this hybrid was released by X-Force research in July 2016,
when GozNym started spreading to additional geographies.
Takes the World by Storm
Very
soon after activating their campaigns, GozNym’s operators were not waiting.
They teamed up with the Avalanche botnet (Avalanche was taken down by Europol
in late 2016, leading to the exposure of some of GozNym’s major operators) to
spread the malware and link up with other elite cybercriminals, and started
moving the project into additional countries.
Within
no more than a week after launching aggressive attacks on online banking users
in North America, GozNym was equipped with redirection attacks and set loose in
Poland. Malware-facilitated redirection is a sophisticated way to hijack online
banking users to an obscure replica of their bank’s website and there, away
from their bank’s security controls, dupe them into divulging their account
credentials, personal information and secondary authentication codes. In the
background, a fraudster is initiating a fraudulent transaction and completes it
using the freshly stolen data.
In
June 2016, GozNym redirection attacks spread to the U.S., targeting the
business banking customers of major financial institutions in the country. By
August 2016, GozNym was off to a Euro-trip of sorts, launching redirection
attacks on banks in Germany.
Spreading
out this quickly and efficiently is no small feat. To begin, creating and
maintaining redirection attacks is a resource-heavy endeavor. But going beyond
that technical hurdle, spreading a banking Trojan to countries with a unique
language, such as German or Polish, for example, where banking systems differ,
entails people on the streets. It means that GozNym collaborators had the
contacts to help them craft and spread quality malspam in those languages, work
the redirection attacks simultaneously in different parts of the world, receive
backing from local organized crime to facilitate cash-out, and move the money
out quickly.
But
as they stormed through different parts of the globe, GozNym’s operators did
not realize they had garnered a lot of attention from the security research
industry and from global law enforcement agencies.
Wham
Bam — GozNym’s Down
Continue reading here.
Comments
Post a Comment