GozNym: The Banking Malware that Stole 4 Million Dollars

A new kind of banking trojan has just appeared in the United States and Canada by attacking the customers of 24 different banks and e-commerce websites since early April.

A condensed technology

GozNym resembles a traditional banking malware in the same vein as Zeus and Citadel. It uses a rather conventional method of infection and goes through an infected attachment or a drive-by download (automatic download after simply visiting a website).

But the peculiarity of Goznym lies more in its code, because the Trojan is actually a mixture of two malwares, Gozi and Nymaim – hence the name “Goznym” given by the researchers from IBM X-Force Research who are behind the discovery.

The developers of the malware have thus kept the “best” of Gozi, a banking trojan well-known for its injections into web pages, and Nymaim, a malware that is almost undetectable thanks to techniques that make it able to pass undetected by antivirus software.

These techniques involve detecting an antivirus (sandbox) and deliberately complicating the code (obfuscation), which, at the same time, creates additional problems for the IT experts who would like to study it.

Once the victim is infected, Goznym is able to inject code into the browser through a DLL (Dynamic Link Library), which will be used, for example, to create a fake login window when the user is on his bank’s website. His personal data is then discreetly retrieved by cyber criminals.

Powerful sponsors are backing the malware

Though the Gozi source code was made public in 2010, it was not the same for Nymaim. This is why experts from IBM X-Force Research are focusing on malware created by a group affiliated with organized crime, the same group that allegedly created Nymaim.

From a utility perspective, the malware is compatible with the latest browsers and can be set up for $500 per month (about 450 euros). For now, it targets “only” 24 financial institutions and e-commerce websites, only in the United States.
Although hybrid malware is not new, banks should worry that cyber criminals are starting to combine the best technologies to attack their clients. Simple anti-malware software to protect oneself is dangerously underutilized.

Suggestions