Cisco Talos profiled the GozNym botnet after cracking the trojan DGA

Pierluigi Paganini September 28, 2016

The Talos team published a detailed analysis of the GozNym botnet, it was possible because the experts cracked the DGA algorithm used by the malware.

In April 2015, the researchers from the  IBM X-Force Research discovered a new banking Trojan dubbed GozNym Trojan that combines best features of Gozi ISFB and Nymaim malware.

The GozNym has been seen targeting banking institutions, credit unions, and retail banks. Among the victims of the GozNym Trojan there are 24 financial institutions in North America and organizations in Europe, including a Polish webmail service providers, investment banking and consumer accounts at 17 banks in Poland and one bank in Portugal.

Now experts from Cisco’s Talos team who have analyzed the threat have identified four variants that differ in the usage of the Domain generation algorithm (DGA).

A DGA is an algorithm that allows malware to periodically generate a large number of domain names that are used as rendezvous points with their C&C servers.

The crooks used spear phishing messages containing specially crafted Word documents as an attack vector. Once the victims open the documents and enable the macro, a VBA code download and execute the GozNym.

Once the malware has infected a system, it checks Internet connectivity through a DNS query for and records. In presence of a connection, it contacts the command and control (C&C) domains generated by the DGA via a simple gethostbyname API call or via a complex DNS protocol implementation either or as its server.

The GozNym banking Trojan hijacks victims’ browsing sessions redirecting them to a phishing website.

The experts from the Talos group identified several DGA variants, below the description of one of them published by the malware researchers.

“In the first stage of DGA, a variation of the XORShift Pseudo-Random Number Generator (PRNG) is used to create a list of fifteen domains. The PRNG is seeded with a bit-shifted value of the current day, as well as two hard coded DWORDs. Each domain is between 5 and 12 lowercase letters long, followed by a randomly selected TLD of .net, .com, .in, or .pw. GozNym then uses Google’s DNS server to query each domain, and checks if the IP responses are publicly routable. Once it resolves 2 different IPs, it uses those in the second stage of the DGA.” reads the analysis published by the Talos group.

In the second stage, the malware creates a list of 128 domain names using the same methods of stage 1, but it replaces the hardcoded DWORD seeds with the IP addresses obtained in the first stage. The GozNym DGA is complex, but Cisco researchers have identified flaws that allowed them to predict domain names using brute force.

The researchers from Talos have discovered vulnerabilities in the DGA that allowed them to predict domain names used by the threat, an information that precious for malware hunters that can use DNS sinkholes to analyze the malware.

The experts were able to profile the botnet, the sinkhole server they used, received 23,062 beacons within the first 24 hours. This means that the botnet is roughly composed of 23,062 machines because each of the would only send just one beacon, except the cases of sandboxes, which may beacon out several times from a small set of IPs.

The number of unique IPs belonging to the botnet is 1854.

A loot at the top countries from which beacons were received reveals that most of them are from Germany (47%) and the United States (37%).


I suggest reading the analysis published by the Talos team that also include some scripts that can be used to analyze the GozNym samples:

  • which simulates the DGA used by GozNym.
  • which extracts parameters from the HTTP POST requests that are sent to C2 servers.
  • which allows for a decryption of the response payload.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – GozNym , cybercrime)

you might also like

leave a comment