GozNym Closure Comes in the Shape of a Europol and DOJ Arrest Operation

Two and a half years after the initial arrest of a major member of the GozNym cybercrime gang, Europol and the U.S. Department of Justice (DOJ) joined forces to reach additional gang members who used the Trojan to pilfer large amounts of money from companies in the U.S. The operation was crowned “unprecedented,” having successfully dismantled what was left of the gang that attempted to steal well over $100 million.

A Two-Headed Beast Emerges

In April 2016, IBM X-Force researchers came across a new banking Trojan that seemed a little too familiar. After taking a closer look at what seemed to be a pretty sophisticated, modular code, our team announced that a Trojan hybrid was spawned from the Nymaim and Gozi ISFB malware.

X-Force named it GozNym, representing its two major components, having realized that the likely operators of Nymaim — a malware loader used mostly in ransomware attacks — recompiled its source code with part of the Gozi ISFB source code, creating a combination that they launched into attacks targeting the customers of more than 24 U.S. and Canadian banks. GozNym-facilitated fraud attacks amounted to over $4 million in losses within the first few days of its activity.

What was the purpose of this odd combination? It is likely that those behind the GozNym project aimed to marry the best of both Nymaim and Gozi ISFB to create a powerful new Trojan. GozNym leveraged the Nymaim dropper’s stealth and persistence and the Gozi ISFB parts added the banking Trojan’s modules and its capabilities to facilitate wire fraud on infected user devices.

Technical information about this hybrid was released by X-Force research in July 2016, when GozNym started spreading to additional geographies.

Takes the World by Storm

Very soon after activating their campaigns, GozNym’s operators were not waiting. They teamed up with the Avalanche botnet (Avalanche was taken down by Europol in late 2016, leading to the exposure of some of GozNym’s major operators) to spread the malware and link up with other elite cybercriminals, and started moving the project into additional countries.

Within no more than a week after launching aggressive attacks on online banking users in North America, GozNym was equipped with redirection attacks and set loose in Poland. Malware-facilitated redirection is a sophisticated way to hijack online banking users to an obscure replica of their bank’s website and there, away from their bank’s security controls, dupe them into divulging their account credentials, personal information and secondary authentication codes. In the background, a fraudster is initiating a fraudulent transaction and completes it using the freshly stolen data.

In June 2016, GozNym redirection attacks spread to the U.S., targeting the business banking customers of major financial institutions in the country. By August 2016, GozNym was off to a Euro-trip of sorts, launching redirection attacks on banks in Germany.

Spreading out this quickly and efficiently is no small feat. To begin, creating and maintaining redirection attacks is a resource-heavy endeavor. But going beyond that technical hurdle, spreading a banking Trojan to countries with a unique language, such as German or Polish, for example, where banking systems differ, entails people on the streets. It means that GozNym collaborators had the contacts to help them craft and spread quality malspam in those languages, work the redirection attacks simultaneously in different parts of the world, receive backing from local organized crime to facilitate cash-out, and move the money out quickly.

But as they stormed through different parts of the globe, GozNym’s operators did not realize they had garnered a lot of attention from the security research industry and from global law enforcement agencies.

 Wham Bam — GozNym’s Down

Continue reading here.