June 22, 2016 By Limor Kessem 4 min read

Research for this post was facilitated by Gal Meiri.

IBM X-Force researchers who study cybercrime threats and malware configurations report that the GozNym banking malware, a Trojan hybrid previously covered in early April, is expanding the reach of its nefarious redirection attacks to the U.S.

Not two months after setting up and launching redirection attacks on banks in Poland, GozNym’s operators are testing those out on four of the largest banks in the U.S. Unsurprisingly for GozNym, the attackers are focusing the malware’s configuration on business banking services.

The list of redirection targets appears limited at this time, but past cases such as Dridex’s redirection campaigns prove that these attacks often begin with a few targets and then expand.

What’s in a Redirection Attack?

The overall idea behind redirection attacks is to hijack malware-infected users to a website that looks exactly like their bank’s site and having them log into their account in a completely unprotected environment.

The victim’s credentials are stolen on the fake site in real time, tested against the bank’s genuine home page and used to initiate a fraudulent money transfer out of the account. Moreover, the victim is kept on the fake website, where the attacker can push social engineering notifications to them, making them divulge personally identifiable information (PII) and two-factor authentication elements.

It’s important to note that the bank’s website is not being compromised in any way; rather, the victim is redirected from it immediately. The fake sites are perfect replicas, hosted on servers the cybercriminals control. They also present the correct URL in the address bar and even show the bank’s SSL certificate on the top bar. The latter is a technical trick programmed to pull the certificate from the genuine website to the fake one.

Take Dyre and Dridex for example: The redirection capability was a major differentiator for these two gangs. In Dyre’s case, it resulted in the threat claiming the top position as 2015’s most aggressive malware by attack volume, according to IBM Trusteer data. For Dridex, redirection attacks contributed to its climb from the rank of fifth in 2015 to the second-most aggressive banking malware in the first half of 2016.

Redirection attacks are not considered to be a technically complicated task, but they are clever and require ample resources to set up. This is also why redirection attacks are not deployed by all financial malware operators; rather, they are the domain of organized cybercrime.

Redirection attacks are often associated with the resources and capabilities of organized cybergangs that have developers on the team because extra setup and site maintenance is required to pull it off.

The only two groups that launch regular redirection attacks nowadays are GozNym and crews that operate the Dridex banking Trojan. Dridex uses redirection attacks against U.K. and U.S. banks.

GozNym’s Redirection Attacks: More than Meets the Eye

Although redirection schemes have already been effectively implemented in real-world attacks, the team behind the GozNym hybrid built its own special scheme designed to keep the attacks hidden from prying security researchers’ eyes.

GozNym’s redirection attacks share the same end goal as others like it:

  • Seamlessly hijack the victim to a malicious website, cutting them off from security offered by their bank.
  • Keep the attackers’ schemes on a separate website so the malware’s malicious webinjections, if any are involved, are not detected or blocked.
  • Protect the criminal’s modus operandi for much longer, making it hard for banks and security teams to understand how the fraud is being facilitated.

To prepare a successful redirection attack, GozNym has a two-stage process in place. At first, the malware redirects the victim to the fake site replica. It then masks the malicious webpage with a white overlay screen. The second part of the redirection is lifting the overlay and revealing the site replica to the infected user. IBM X-Force researchers believe the odd masking portion of the redirection attack is designed to keep the page looking harmless in an interim stage before it is presented to the victim.

In most cases, GozNym redirects the bank’s home page, but that’s not the only page the malware can redirect. There are cases where other pages are redirected to GozNym’s replica to force the victim to enter their login credentials.

What’s Next for GozNym?

IBM X-Force researchers believe that GozNym is an evolving malware project on the scale of other banking Trojans such as Neverquest and Dridex. The malware is quickly becoming a top global player, ranking fifth in the cybercrime arena for 2016 so far, according to attack volume data reported by IBM Security antifraud solutions.

GozNym’s redirection attacks started off in Poland and spread to the U.S. within two months. We expect that the cybercrime gang will add more bank targets to the redirection configuration, likely after an initial testing period.

IBM X-Force Research will be updating information and indicators of compromise on GozNym via the X-Force Exchange platform. Join XFE today to keep up to date about this threat and other findings from our cybercrime labs.

Relevant Sample MD5

The MD5 hashes are 20D6FE2353F3044D25D4FDC9F2872F39 and E17A79A6F7C8FE7F920DAD8CBCEE3DF0.

Detecting and Stopping GozNym Attacks

IBM Security has studied the GozNym malware and its various attack schemes. Our research can help banks and targeted organizations learn more about this high-risk threat and the best mitigation techniques. Banks and service providers can start by using adaptive malware detection solutions and protect customer endpoints with malware intelligence, which provides real-time insight into fraudster techniques and capabilities

Users looking to prevent malware infections on their endpoints must keep their operating system up to date at all times, update frequently used programs and delete those they no longer use. Since GozNym and banking malware like it are usually delivered as email attachments, it is critically important is to never click on links or attachments in unsolicited email.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Malware

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today