Research for this post was facilitated by Gal Meiri.

IBM X-Force researchers who study cybercrime threats and malware configurations report that the GozNym banking malware, a Trojan hybrid previously covered in early April, is expanding the reach of its nefarious redirection attacks to the U.S.

Not two months after setting up and launching redirection attacks on banks in Poland, GozNym’s operators are testing those out on four of the largest banks in the U.S. Unsurprisingly for GozNym, the attackers are focusing the malware’s configuration on business banking services.

The list of redirection targets appears limited at this time, but past cases such as Dridex’s redirection campaigns prove that these attacks often begin with a few targets and then expand.

What’s in a Redirection Attack?

The overall idea behind redirection attacks is to hijack malware-infected users to a website that looks exactly like their bank’s site and having them log into their account in a completely unprotected environment.

The victim’s credentials are stolen on the fake site in real time, tested against the bank’s genuine home page and used to initiate a fraudulent money transfer out of the account. Moreover, the victim is kept on the fake website, where the attacker can push social engineering notifications to them, making them divulge personally identifiable information (PII) and two-factor authentication elements.

It’s important to note that the bank’s website is not being compromised in any way; rather, the victim is redirected from it immediately. The fake sites are perfect replicas, hosted on servers the cybercriminals control. They also present the correct URL in the address bar and even show the bank’s SSL certificate on the top bar. The latter is a technical trick programmed to pull the certificate from the genuine website to the fake one.

Take Dyre and Dridex for example: The redirection capability was a major differentiator for these two gangs. In Dyre’s case, it resulted in the threat claiming the top position as 2015’s most aggressive malware by attack volume, according to IBM Trusteer data. For Dridex, redirection attacks contributed to its climb from the rank of fifth in 2015 to the second-most aggressive banking malware in the first half of 2016.

Redirection attacks are not considered to be a technically complicated task, but they are clever and require ample resources to set up. This is also why redirection attacks are not deployed by all financial malware operators; rather, they are the domain of organized cybercrime.

Redirection attacks are often associated with the resources and capabilities of organized cybergangs that have developers on the team because extra setup and site maintenance is required to pull it off.

The only two groups that launch regular redirection attacks nowadays are GozNym and crews that operate the Dridex banking Trojan. Dridex uses redirection attacks against U.K. and U.S. banks.

GozNym’s Redirection Attacks: More than Meets the Eye

Although redirection schemes have already been effectively implemented in real-world attacks, the team behind the GozNym hybrid built its own special scheme designed to keep the attacks hidden from prying security researchers’ eyes.

GozNym’s redirection attacks share the same end goal as others like it:

  • Seamlessly hijack the victim to a malicious website, cutting them off from security offered by their bank.
  • Keep the attackers’ schemes on a separate website so the malware’s malicious webinjections, if any are involved, are not detected or blocked.
  • Protect the criminal’s modus operandi for much longer, making it hard for banks and security teams to understand how the fraud is being facilitated.

To prepare a successful redirection attack, GozNym has a two-stage process in place. At first, the malware redirects the victim to the fake site replica. It then masks the malicious webpage with a white overlay screen. The second part of the redirection is lifting the overlay and revealing the site replica to the infected user. IBM X-Force researchers believe the odd masking portion of the redirection attack is designed to keep the page looking harmless in an interim stage before it is presented to the victim.

In most cases, GozNym redirects the bank’s home page, but that’s not the only page the malware can redirect. There are cases where other pages are redirected to GozNym’s replica to force the victim to enter their login credentials.

What’s Next for GozNym?

IBM X-Force researchers believe that GozNym is an evolving malware project on the scale of other banking Trojans such as Neverquest and Dridex. The malware is quickly becoming a top global player, ranking fifth in the cybercrime arena for 2016 so far, according to attack volume data reported by IBM Security antifraud solutions.

GozNym’s redirection attacks started off in Poland and spread to the U.S. within two months. We expect that the cybercrime gang will add more bank targets to the redirection configuration, likely after an initial testing period.

IBM X-Force Research will be updating information and indicators of compromise on GozNym via the X-Force Exchange platform. Join XFE today to keep up to date about this threat and other findings from our cybercrime labs.

Relevant Sample MD5

The MD5 hashes are 20D6FE2353F3044D25D4FDC9F2872F39 and E17A79A6F7C8FE7F920DAD8CBCEE3DF0.

Detecting and Stopping GozNym Attacks

IBM Security has studied the GozNym malware and its various attack schemes. Our research can help banks and targeted organizations learn more about this high-risk threat and the best mitigation techniques. Banks and service providers can start by using adaptive malware detection solutions and protect customer endpoints with malware intelligence, which provides real-time insight into fraudster techniques and capabilities

Users looking to prevent malware infections on their endpoints must keep their operating system up to date at all times, update frequently used programs and delete those they no longer use. Since GozNym and banking malware like it are usually delivered as email attachments, it is critically important is to never click on links or attachments in unsolicited email.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Malware

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read