Research for this post was performed by Gal Meiri and Ziv Karliner.

The GozNym banking malware, a Trojan hybrid discovered by IBM X-Force in early April, isn’t wasting any time. A week after launching an aggressive attack campaign on 24 banks in North America, GozNym’s operators are spreading a new European configuration. On the list this time: corporate, SMB, investment banking and consumer accounts held with major Polish banks; one bank in Portugal; and one American bank.

It gets worse. The GozNym team has apparently been hard at work: The release of the new configuration includes the launch of redirection attacks currently targeting 17 select banks in Poland and one major Portuguese bank.

According to X-Force research, this configuration has one of the widest attack scopes in Poland, proving that the country has become a lucrative target for organized cybercrime. While the list of targeted entities features redirection instructions for 17 bank brands, it further includes close to 230 URLs targeting the websites of community banks and webmail service providers in Poland.

Redirection Attacks: A Cybergang’s Blueprint

Redirection attacks are successful because they bypass bank security measures by taking victims to a malicious website before they ever reach the bank’s actual site. The malicious website is a replica of the bank’s legitimate page, leaving victims unaware that they’ve been tricked.

By keeping victims away from the bank’s site, the fraudster can deceive them into divulging critical authentication codes on the replica site, all without the bank knowing that the customer’s session has been compromised.

Redirection attacks are most often identified with the resources and capabilities of organized cybergangs with developers on their team. There is extra setup required to pull the effort off, specifically the maintenance and updating of unique site replicas for each target.

The technique first surfaced in 2014 when the Dyre gang launched it, targeting banks primarily in the U.K., U.S., Australia and Spain. Although Dyre activity died down in November 2015, its methods lived on.

Less than two months after Dyre disappeared, X-Force reported the Dridex Trojan launched Dyre-like redirection attacks in the U.K. Now, three months after Dridex’s redirection efforts, the Nymaim gang has launched its own version of the redirection scheme via the GozNym hybrid’s configuration.

What’s Special About These Attacks?

The idea behind redirection attacks is to send the victim to an entirely different website than the legitimate online banking site. Note here that the bank’s website is not being compromised.

Rather, clever attackers are creating convincing replicas of bank websites hosted on other servers, where they can then capture credentials and two-factor authentication data to take over the victim’s real account. This attack scheme allows criminals to steal user credentials in real time while they are on a malicious site, away from the protection banks offer customers.

With Dyre, the redirection capability was a major differentiator, which resulted in Dyre climbing to the top position as 2015’s most aggressive malware by attack volume before it was even one year old, according to IBM Trusteer data.

One Double-Headed Beast, Two C&Cs and a Two-Stage Redirection

Although redirection schemes have already been successfully implemented in real-world attacks by Dyre and Dridex, the team behind the GozNym hybrid built its own special scheme, designed to keep the attacks hidden from the prying eyes of security researchers.

GozNym’s redirection attacks are made up of two distinct phases, with the end goals of:

1. Seamlessly redirecting the victim to the malicious website; and
2. Keeping the attackers’ schemes on a separate website to help the criminals keep their modus operandi under wraps.

Let’s go over the basics of how GozNym’s developers designed its new redirection scheme.

Step One: Redirect and Mask

The first stage of the redirection attack is composed of two parts: initial redirection and an overlay mask. It is triggered when a victim attempts to navigate to one of the targeted banks’ URLs in GozNym’s configuration. When that happens, the Trojan immediately sends the victim the corresponding fake page.

The fake page is designed to appear legitimate, carrying the bank’s URL and SSL certificate in the address bar to make sure the victims do not suspect they are on the wrong site. The attack manages to achieve this by sending empty/idle requests to the bank to keep the SSL connection alive. So far, it’s similar to other redirection schemes.

But this is where the differences kick in. When the fake page is delivered to the victim’s browser, it comes covered with a blank overlay screen on top of it. The blank page is a simple CSS trick known as an empty div element, which is plastered over the entire screen. This curtain does not delete anything from the fake page’s source code; it only covers up the malicious content of the phishing page, making it look empty to prevent unintended parties such as security researchers from examining its content.

The redirection, the fake page and the overlay are fetched from one out of two command-and-control (C&C) servers communicating with the GozNym malware. According to X-Force research, the server appears to be hosted in Moscow.

Step Two: Lift Overlay, Get Webinjections

The second stage of the redirection attack is designed to remove the overlay screen; it displays the malicious site’s content to the victim.

To carry out this second step, GozNym imports external JavaScript to the fake page. The scripts manipulate the Document Object Model (DOM) — an approach that enables malware to access and change the internal data of targeted Web pages — and remove the div element from the page. In most cases the fake page looks like the bank’s login page, allowing victims to enter their username and password.

After that initial fake login, the malware displays a delay screen via webinjection asking the victim to wait. While the victim is on hold, the fraudster queries the C&C server for additional webinjections to trick users to divulge further information about their accounts.

This second step is communicated from a second server. Why divide the scheme to be delivered via two servers? Most likely, GozNym’s operators are intentionally making the attack’s setup trickier for researchers to figure out.

What’s Next for GozNym?

The attack schemes added to the GozNym Trojan in the past few weeks makes it is clear the project is evolving quickly and becoming a serious player in the financial threat landscape. IBM X-Force expects to see increases in GozNym attacks and the expansion of redirection attacks to include a larger set of banks.

Projects of this technical level are the domain of a few major cybercrime gangs active in the world. Convincing redirection attacks are a resource-intensive endeavor that require their operators to invest heavily in creating website replicas of individual targeted banks. The Nymaim gang stands out as one of very few groups with this capability.

Currently, the only other known malware actively using redirection attacks is the Dridex gang. Rumors say a Neverquest faction also employs them; however, the latter has not yet been detected in the wild.

Detecting and Stopping GozNym Attacks

The GozNym hybrid is a powerful new banking Trojan, as stealthy and persistent as the Nymaim loader while also possessing the Gozi ISFB Trojan’s ability to manipulate Web sessions and perform online banking fraud attacks.

To help stop threats like GozNym, banks and service providers can use adaptive malware detection solutions and protect customer endpoints with malware intelligence that provides real-time insight into fraudster techniques and capabilities. These tools are designed to address the relentless evolution of the threat landscape.

Users looking to prevent malware infections on their endpoints must keep operating systems up to date at all times, update frequently used programs and delete applications they no longer use. Preventing Trojan infection includes disabling ads and avoiding susceptible sites typically used as infection hubs. Never clicking on links or attachments in unsolicited emails is also critically important.

Most cases of malware infections, including GozNym’s, begin with a malware-laden spam email that lures victims into opening an attachment. If users are not expecting this communication, their best bet is to delete the email immediately and then check their accounts or contact their service provider to look into the matter.

Those who frequently bank away from home are advised to never access any of their personal accounts from public computers in libraries, coffee shops or other locales offering Internet access. Conduct online banking sessions only on trusted devices that are protected by security solutions and limited to the use of the account owner.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust