- Jun 9, 2013
- 6,720
The GozNym Trojan, which is a Frankenstein-like hybrid of two families of malware, has been used to frequently deliver malware through various spear phishing campaigns. But it turns out that this baddie has split personality disorder, with four different variants out in the wild to wreak havoc.
By way of background, Gozi was a widely distributed banking trojan with a DGA and also contained the ability to install a Master Boot Record (MBR) rootkit. Nymaim emerged in 2013 as malware which was used to deliver ransomware. There have been multiple instances in which the source code of the Gozi trojan has been leaked, which allowed the GozNym authors to create a significantly more robust piece of malware which was now capable of utilizing strengthened persistence methods and ultimately becoming a powerful banking trojan.
Cisco Talos engineers reverse-engineered the malware, which allowed them to gain visibility into the size and scope of this threat and the number of infected systems beaconing to C2 servers under adversarial control. After analyzing the data, Talos discovered 23,062 infected machines within the first 24 hours. Talos also identified that the four different variants of GozNym that exhibited slightly different characteristics with respect to the Domain Generation Algorithms (DGAs) used to generate the list of C2 servers to connect to.
“It is possible that they were all created and deployed by the same threat actor or group as there are several overlaps in regards to the use of the same C2 infrastructure, where the binaries were being distributed from, and the phishing campaigns associated with the distribution of the samples,” said Ben Baker, Edmund Brumaghin and Jonah Samost, in a blog.
Talos identified several spear phishing campaigns which were used to distribute the GozNym malware. The themes are similar to others commonly seen in email-based threats whereby messages will be directed to the recipient to open an attached "tax invoice" or "payment document.” The adversary took the time to profile each of the organizations targeted in these campaigns. In many cases that Talos analyzed, a single email was sent to each organization with the sole recipient being an employee in the accounting or finance department of the targeted organization. Additionally, the contents of each message were tailored to the organization and featured attachment names also appropriately tailored.
“The characteristics associated with the spam campaigns used to distribute GozNym to potential victims, a good deal of effort was spent determining who to target within organizations and spear phishing was used in an effort to evade detection and avoid alerting administrators,” the researchers said.
Full Article. http://www.infosecurity-magazine.com/news/goznym-frankenstein-trojan-has/
By way of background, Gozi was a widely distributed banking trojan with a DGA and also contained the ability to install a Master Boot Record (MBR) rootkit. Nymaim emerged in 2013 as malware which was used to deliver ransomware. There have been multiple instances in which the source code of the Gozi trojan has been leaked, which allowed the GozNym authors to create a significantly more robust piece of malware which was now capable of utilizing strengthened persistence methods and ultimately becoming a powerful banking trojan.
Cisco Talos engineers reverse-engineered the malware, which allowed them to gain visibility into the size and scope of this threat and the number of infected systems beaconing to C2 servers under adversarial control. After analyzing the data, Talos discovered 23,062 infected machines within the first 24 hours. Talos also identified that the four different variants of GozNym that exhibited slightly different characteristics with respect to the Domain Generation Algorithms (DGAs) used to generate the list of C2 servers to connect to.
“It is possible that they were all created and deployed by the same threat actor or group as there are several overlaps in regards to the use of the same C2 infrastructure, where the binaries were being distributed from, and the phishing campaigns associated with the distribution of the samples,” said Ben Baker, Edmund Brumaghin and Jonah Samost, in a blog.
Talos identified several spear phishing campaigns which were used to distribute the GozNym malware. The themes are similar to others commonly seen in email-based threats whereby messages will be directed to the recipient to open an attached "tax invoice" or "payment document.” The adversary took the time to profile each of the organizations targeted in these campaigns. In many cases that Talos analyzed, a single email was sent to each organization with the sole recipient being an employee in the accounting or finance department of the targeted organization. Additionally, the contents of each message were tailored to the organization and featured attachment names also appropriately tailored.
“The characteristics associated with the spam campaigns used to distribute GozNym to potential victims, a good deal of effort was spent determining who to target within organizations and spear phishing was used in an effort to evade detection and avoid alerting administrators,” the researchers said.
Full Article. http://www.infosecurity-magazine.com/news/goznym-frankenstein-trojan-has/
