Banking Trojans Nymaim, Gozi Merge to Steal $4M

“Double-headed beast” Trojan, GozNym, drains $4 million from banks in past two weeks.

Two powerful Trojans, Nymaim and Gozi ISFB, have been combined to create a “double-headed beast” called GozNym. The Trojan has managed to steal $4 million since it was first discovered just two weeks ago, according to IBM X-Force Research. It reports the hybrid Trojan is currently engaged in an active campaign with 72 percent of targets including business banking institutions, credit unions and retail banks.

“GozNym is an extremely stealthy Trojan combining the best of both Nymaim and Gozi ISFB to create a very problematic threat,” said Limor Kessem, a cybersecurity expert with IBM’s X-Force Research division, in an interview with Threatpost. “The attack numbers for GozNym have been extremely high given it’s only been around since April,” she said.

Kessem said the Trojan is being delivered primarily via email messages with so-called poisoned macros in a malware-infected attachment. Attackers then manipulate the victim’s browser, steal credentials and transfer money out of their accounts.

The combining of the Trojans, Kessem said, is not unheard of and is something the security world has seen in the not so distant past. Last year’s Shifu Trojan, for example, was a combination of several years’ worth of malware including Shiz, Gozi, Zeus and Dridex. And like Shifu, GozNym is a “double-headed beast,” Kessem said.

She said GozNym is a power-patchwork of sorts, where the two codes rely on one another to carry out the malware’s internal operations. “Together these two Trojans  work much more effectively than apart,” Kessem said.

The hybrid GozNym borrows from Nymaim, in that it uses the Trojan’s two-stage malware dropper to infect a system. After it infiltrates a computer, then the Nymaim component of GozNym begins to fetch Gozi ISFB modules that are responsible for the Trojan’s ability to inject a malicious dynamic link library (DLL), according to IBM X-Force Research.

“Before merging into an actual hybrid, earlier versions of Nymaim used to fetch and inject Gozi ISFB’s financial module as a complete DLL into the infected victim’s browser to enable web-injections on online banking sites,” Kessem wrote in a technical description of the Trojan. The first merged variant, GozNym, was detected in early April 2016, Kessem said.

As for origins of Nymaim and Gozi ISFB; the Gozi Trojan has been behind online banking attacks in late 2007 and was known for its ability to Steals SSL data using advanced Winsock2 functionality. The Nymaim Trojan was first spotted in 2013 and identified as ransomware. But, according to X-Force, both Trojans saw their source code leaked allowing a third-party to combine the two creating GozNym earlier this year.

Suggested articles