- Oct 23, 2012
- 12,527
During the month of April, security researchers from IBM have spotted a new trojan that appears to be the spawn of the Gozi banking trojan and the Nymaim dropper/ransomware.
Dubbed GozNym, researchers say this trojan was used in attacks against the customers of financial institutions in the US (22 entities) and Canada (2).
The attacks didn't target only banking portals, but also the websites of credit unions, e-commerce platforms, and other entities that deal with large financial operations.
Attribution for these attacks was given to the group that developed the Nymaim dropper. Security experts explained that the source code of the Nymaim malware never leaked online while Gozi's source code leaked twice, once in 2010, and later in 2015. This means that the only ones that could have merged Nymaim with Gozi are Nymaim's creators.
Dubbed GozNym, researchers say this trojan was used in attacks against the customers of financial institutions in the US (22 entities) and Canada (2).
The attacks didn't target only banking portals, but also the websites of credit unions, e-commerce platforms, and other entities that deal with large financial operations.
Attribution for these attacks was given to the group that developed the Nymaim dropper. Security experts explained that the source code of the Nymaim malware never leaked online while Gozi's source code leaked twice, once in 2010, and later in 2015. This means that the only ones that could have merged Nymaim with Gozi are Nymaim's creators.
Just like Gozi, GozNym leverages Web injection attacks
While Gozi is known in infosec circles and even outside them as a dangerous virus that can steal and manipulate data entered inside browsers while accessing banking portals, fewer details are known about Nymaim.
According to IBM, the latter is a lightweight malware family that's called a dropper, specialized in infecting computers and gaining a foothold for attackers, later downloading other types of malware.
In some cases, versions of Nymaim came pre-packed with a custom-made ransomware that locked the user's screen, but that never encrypted files.
All of these features are now combined, except the ancient ransomware component, and crooks are using GozNym as an all-around threat that can infect users and then immediately start attacks on computers it deems valuable.
Of course, there's also a downside to merging the source code of two very well-known malware families, and that's the antivirus detection rate, which will be very high. And it is, according to this VirusTotal sample.