Malware

GozNym Trojan even more sophisticated with a singular redirection mechanism

The cybercriminals behind the GozNym Trojan have started targeting users in European countries with a new singular redirection mechanism.

Last week, security experts from the IBM X-Force Research spotted a new threat dubbed GozNym Trojan that combines Gozi ISFB and Nymaim malware abilities.

The GozNym Trojan is particularly insidious, according to the researchers at the IBM X-Force Research, it is responsible for the theft of $4 million since it was first discovered a couple of two weeks ago.

According to the researchers, the new malware is currently involved in a campaign that is targeting business banking institutions, credit unions and retail banks. Among the victims of the GozNym Trojan there are 24 financial institutions in North America.

The experts that are investigating the threat now discovered that threat actors have begun using the GozNym Trojan against organizations in Europe, including a Polish webmail service providers, investment banking and consumer accounts at 17 banks in Poland and one bank in Portugal.

The researchers highlighted the significant efforts of the development team behind the Trojan, the analysis of the configuration used by recent samples confirms the widest attack scopes in Poland.

“According to X-Force research, this configuration has one of the widest attack scopes in Poland, proving that the country has become a lucrative target for organized cybercrime.” states the blog post published by IBM. “While the list of targeted entities features redirection instructions for 17 bank brands, it further includes close to 230 URLs targeting the websites of community banks and webmail service providers in Poland.”

When the GozNym Trojan compromises a device it monitors the victim’s activities. When the victim visits one of the websites included in the list of 230 URLs stored in the configuration file, the malware redirects it to a phishing page that reproduces the legitimate service.

The redirection mechanism designed for the GozNym Trojan implements a two-phase redirection scheme that makes harder forensics analysis.

GozNym’s redirection attacks are made up of two distinct phases, with the end goals of:

  1. Seamlessly redirecting the victim to the malicious website; and
  2. Keeping the attackers’ schemes on a separate website to help the criminals keep their modus operandi under wraps.

In the first phase, when the victim visits the website it is redirected to a phishing page used by crooks to collect credentials and two factor authentication data. The phishing website appears to be hosted on the legitimate domain.

“The fake page is designed to appear legitimate, carrying the bank’s URL and SSL certificate in the address bar to make sure the victims do not suspect they are on the wrong site. The attack manages to achieve this by sending empty/idle requests to the bank to keep the SSL connection alive. So far, it’s similar to other redirection schemes.” continues IBM.

While victims are on the phishing page, the content of this page is actually under a blank overlay mask that covers the entire screen. By covering up the malicious content, cybercriminals making it look like an empty page.

The researchers discovered that both phases of the attack are coordinated by a C&C server located in Russia.

In the second phase of the attack, the crooks remove the overlay screen in order to display the phishing page.

“To carry out this second step, GozNym imports external JavaScript to the fake page. The scripts manipulate the Document Object Model (DOM) — an approach that enables malware to access and change the internal data of targeted Web pages — and remove the div element from the page. In most cases the fake page looks like the bank’s login page, allowing victims to enter their username and password.” continues the IBM.

After the malware displays the initial phishing login page, it displays a delay screen via webinjection asking the victim to wait. In this phase the malware receives from the C&C server additional webinjections to trick users to divulge further information about their accounts.

The experts discovered that this second round of webinjections is transferred from a second server. “Why divide the scheme to be delivered via two servers? Most likely, GozNym’s operators are intentionally making the attack’s setup trickier for researchers to figure out.”

The complexity of the attack led the expert into belief that hackers belong to a major cyber criminal crew operating across the world.

“Projects of this technical level are the domain of a few major cybercrime gangs active in the world. Convincing redirection attacks are a resource-intensive endeavor that require their operators to invest heavily in creating website replicas of individual targeted banks. The Nymaim gang stands out as one of very few groups with this capability,” read the blog post. “Currently, the only other known malware actively using redirection attacks is the Dridex gang. Rumors say a Neverquest faction also employs them; however, the latter has not yet been detected in the wild.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – GozNym Trojan, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

29 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

14 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.