Crooks Combine Gozi and Nymaim Trojans to Steal Money from 24 Banks

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
During the month of April, security researchers from IBM have spotted a new trojan that appears to be the spawn of the Gozi banking trojan and the Nymaim dropper/ransomware.

Dubbed GozNym, researchers say this trojan was used in attacks against the customers of financial institutions in the US (22 entities) and Canada (2).

The attacks didn't target only banking portals, but also the websites of credit unions, e-commerce platforms, and other entities that deal with large financial operations.

Attribution for these attacks was given to the group that developed the Nymaim dropper. Security experts explained that the source code of the Nymaim malware never leaked online while Gozi's source code leaked twice, once in 2010, and later in 2015. This means that the only ones that could have merged Nymaim with Gozi are Nymaim's creators.
Just like Gozi, GozNym leverages Web injection attacks
While Gozi is known in infosec circles and even outside them as a dangerous virus that can steal and manipulate data entered inside browsers while accessing banking portals, fewer details are known about Nymaim.

According to IBM, the latter is a lightweight malware family that's called a dropper, specialized in infecting computers and gaining a foothold for attackers, later downloading other types of malware.

In some cases, versions of Nymaim came pre-packed with a custom-made ransomware that locked the user's screen, but that never encrypted files.

All of these features are now combined, except the ancient ransomware component, and crooks are using GozNym as an all-around threat that can infect users and then immediately start attacks on computers it deems valuable.

Of course, there's also a downside to merging the source code of two very well-known malware families, and that's the antivirus detection rate, which will be very high. And it is, according to this VirusTotal sample.
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym.

The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.

(for lots more follow the link)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top