GozNym Trojan even more sophisticated with a singular redirection mechanism

Pierluigi Paganini April 26, 2016

The cybercriminals behind the GozNym Trojan have started targeting users in European countries with a new singular redirection mechanism.

Last week, security experts from the IBM X-Force Research spotted a new threat dubbed GozNym Trojan that combines Gozi ISFB and Nymaim malware abilities.

The GozNym Trojan is particularly insidious, according to the researchers at the IBM X-Force Research, it is responsible for the theft of $4 million since it was first discovered a couple of two weeks ago.

According to the researchers, the new malware is currently involved in a campaign that is targeting business banking institutions, credit unions and retail banks. Among the victims of the GozNym Trojan there are 24 financial institutions in North America.

The experts that are investigating the threat now discovered that threat actors have begun using the GozNym Trojan against organizations in Europe, including a Polish webmail service providers, investment banking and consumer accounts at 17 banks in Poland and one bank in Portugal.

The researchers highlighted the significant efforts of the development team behind the Trojan, the analysis of the configuration used by recent samples confirms the widest attack scopes in Poland.

“According to X-Force research, this configuration has one of the widest attack scopes in Poland, proving that the country has become a lucrative target for organized cybercrime.” states the blog post published by IBM. “While the list of targeted entities features redirection instructions for 17 bank brands, it further includes close to 230 URLs targeting the websites of community banks and webmail service providers in Poland.”

When the GozNym Trojan compromises a device it monitors the victim’s activities. When the victim visits one of the websites included in the list of 230 URLs stored in the configuration file, the malware redirects it to a phishing page that reproduces the legitimate service.

banking trojan

The redirection mechanism designed for the GozNym Trojan implements a two-phase redirection scheme that makes harder forensics analysis.

GozNym’s redirection attacks are made up of two distinct phases, with the end goals of:

  1. Seamlessly redirecting the victim to the malicious website; and
  2. Keeping the attackers’ schemes on a separate website to help the criminals keep their modus operandi under wraps.

In the first phase, when the victim visits the website it is redirected to a phishing page used by crooks to collect credentials and two factor authentication data. The phishing website appears to be hosted on the legitimate domain.

“The fake page is designed to appear legitimate, carrying the bank’s URL and SSL certificate in the address bar to make sure the victims do not suspect they are on the wrong site. The attack manages to achieve this by sending empty/idle requests to the bank to keep the SSL connection alive. So far, it’s similar to other redirection schemes.” continues IBM.

While victims are on the phishing page, the content of this page is actually under a blank overlay mask that covers the entire screen. By covering up the malicious content, cybercriminals making it look like an empty page.

The researchers discovered that both phases of the attack are coordinated by a C&C server located in Russia.

In the second phase of the attack, the crooks remove the overlay screen in order to display the phishing page.

“To carry out this second step, GozNym imports external JavaScript to the fake page. The scripts manipulate the Document Object Model (DOM) — an approach that enables malware to access and change the internal data of targeted Web pages — and remove the div element from the page. In most cases the fake page looks like the bank’s login page, allowing victims to enter their username and password.” continues the IBM.

After the malware displays the initial phishing login page, it displays a delay screen via webinjection asking the victim to wait. In this phase the malware receives from the C&C server additional webinjections to trick users to divulge further information about their accounts.

The experts discovered that this second round of webinjections is transferred from a second server. “Why divide the scheme to be delivered via two servers? Most likely, GozNym’s operators are intentionally making the attack’s setup trickier for researchers to figure out.”

The complexity of the attack led the expert into belief that hackers belong to a major cyber criminal crew operating across the world.

“Projects of this technical level are the domain of a few major cybercrime gangs active in the world. Convincing redirection attacks are a resource-intensive endeavor that require their operators to invest heavily in creating website replicas of individual targeted banks. The Nymaim gang stands out as one of very few groups with this capability,” read the blog post. “Currently, the only other known malware actively using redirection attacks is the Dridex gang. Rumors say a Neverquest faction also employs them; however, the latter has not yet been detected in the wild.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – GozNym Trojan, malware)

you might also like

leave a comment