Research for this post was facilitated by Gal Meiri.

IBM X-Force researchers who study cybercrime threats and malware configurations report that the GozNym banking malware, a Trojan hybrid previously covered in early April, is expanding the reach of its nefarious redirection attacks to the U.S.

Not two months after setting up and launching redirection attacks on banks in Poland, GozNym’s operators are testing those out on four of the largest banks in the U.S. Unsurprisingly for GozNym, the attackers are focusing the malware’s configuration on business banking services.

The list of redirection targets appears limited at this time, but past cases such as Dridex’s redirection campaigns prove that these attacks often begin with a few targets and then expand.

What’s in a Redirection Attack?

The overall idea behind redirection attacks is to hijack malware-infected users to a website that looks exactly like their bank’s site and having them log into their account in a completely unprotected environment.

The victim’s credentials are stolen on the fake site in real time, tested against the bank’s genuine home page and used to initiate a fraudulent money transfer out of the account. Moreover, the victim is kept on the fake website, where the attacker can push social engineering notifications to them, making them divulge personally identifiable information (PII) and two-factor authentication elements.

It’s important to note that the bank’s website is not being compromised in any way; rather, the victim is redirected from it immediately. The fake sites are perfect replicas, hosted on servers the cybercriminals control. They also present the correct URL in the address bar and even show the bank’s SSL certificate on the top bar. The latter is a technical trick programmed to pull the certificate from the genuine website to the fake one.

Take Dyre and Dridex for example: The redirection capability was a major differentiator for these two gangs. In Dyre’s case, it resulted in the threat claiming the top position as 2015’s most aggressive malware by attack volume, according to IBM Trusteer data. For Dridex, redirection attacks contributed to its climb from the rank of fifth in 2015 to the second-most aggressive banking malware in the first half of 2016.

Redirection attacks are not considered to be a technically complicated task, but they are clever and require ample resources to set up. This is also why redirection attacks are not deployed by all financial malware operators; rather, they are the domain of organized cybercrime.

Redirection attacks are often associated with the resources and capabilities of organized cybergangs that have developers on the team because extra setup and site maintenance is required to pull it off.

The only two groups that launch regular redirection attacks nowadays are GozNym and crews that operate the Dridex banking Trojan. Dridex uses redirection attacks against U.K. and U.S. banks.

GozNym’s Redirection Attacks: More than Meets the Eye

Although redirection schemes have already been effectively implemented in real-world attacks, the team behind the GozNym hybrid built its own special scheme designed to keep the attacks hidden from prying security researchers’ eyes.

GozNym’s redirection attacks share the same end goal as others like it:

  • Seamlessly hijack the victim to a malicious website, cutting them off from security offered by their bank.
  • Keep the attackers’ schemes on a separate website so the malware’s malicious webinjections, if any are involved, are not detected or blocked.
  • Protect the criminal’s modus operandi for much longer, making it hard for banks and security teams to understand how the fraud is being facilitated.

To prepare a successful redirection attack, GozNym has a two-stage process in place. At first, the malware redirects the victim to the fake site replica. It then masks the malicious webpage with a white overlay screen. The second part of the redirection is lifting the overlay and revealing the site replica to the infected user. IBM X-Force researchers believe the odd masking portion of the redirection attack is designed to keep the page looking harmless in an interim stage before it is presented to the victim.

In most cases, GozNym redirects the bank’s home page, but that’s not the only page the malware can redirect. There are cases where other pages are redirected to GozNym’s replica to force the victim to enter their login credentials.

What’s Next for GozNym?

IBM X-Force researchers believe that GozNym is an evolving malware project on the scale of other banking Trojans such as Neverquest and Dridex. The malware is quickly becoming a top global player, ranking fifth in the cybercrime arena for 2016 so far, according to attack volume data reported by IBM Security antifraud solutions.

GozNym’s redirection attacks started off in Poland and spread to the U.S. within two months. We expect that the cybercrime gang will add more bank targets to the redirection configuration, likely after an initial testing period.

IBM X-Force Research will be updating information and indicators of compromise on GozNym via the X-Force Exchange platform. Join XFE today to keep up to date about this threat and other findings from our cybercrime labs.

Relevant Sample MD5

The MD5 hashes are 20D6FE2353F3044D25D4FDC9F2872F39 and E17A79A6F7C8FE7F920DAD8CBCEE3DF0.

Detecting and Stopping GozNym Attacks

IBM Security has studied the GozNym malware and its various attack schemes. Our research can help banks and targeted organizations learn more about this high-risk threat and the best mitigation techniques. Banks and service providers can start by using adaptive malware detection solutions and protect customer endpoints with malware intelligence, which provides real-time insight into fraudster techniques and capabilities

Users looking to prevent malware infections on their endpoints must keep their operating system up to date at all times, update frequently used programs and delete those they no longer use. Since GozNym and banking malware like it are usually delivered as email attachments, it is critically important is to never click on links or attachments in unsolicited email.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…