Research for this post was facilitated by Gal Meiri.

IBM X-Force researchers who study cybercrime threats and malware configurations report that the GozNym banking malware, a Trojan hybrid previously covered in early April, is expanding the reach of its nefarious redirection attacks to the U.S.

Not two months after setting up and launching redirection attacks on banks in Poland, GozNym’s operators are testing those out on four of the largest banks in the U.S. Unsurprisingly for GozNym, the attackers are focusing the malware’s configuration on business banking services.

The list of redirection targets appears limited at this time, but past cases such as Dridex’s redirection campaigns prove that these attacks often begin with a few targets and then expand.

What’s in a Redirection Attack?

The overall idea behind redirection attacks is to hijack malware-infected users to a website that looks exactly like their bank’s site and having them log into their account in a completely unprotected environment.

The victim’s credentials are stolen on the fake site in real time, tested against the bank’s genuine home page and used to initiate a fraudulent money transfer out of the account. Moreover, the victim is kept on the fake website, where the attacker can push social engineering notifications to them, making them divulge personally identifiable information (PII) and two-factor authentication elements.

It’s important to note that the bank’s website is not being compromised in any way; rather, the victim is redirected from it immediately. The fake sites are perfect replicas, hosted on servers the cybercriminals control. They also present the correct URL in the address bar and even show the bank’s SSL certificate on the top bar. The latter is a technical trick programmed to pull the certificate from the genuine website to the fake one.

Take Dyre and Dridex for example: The redirection capability was a major differentiator for these two gangs. In Dyre’s case, it resulted in the threat claiming the top position as 2015’s most aggressive malware by attack volume, according to IBM Trusteer data. For Dridex, redirection attacks contributed to its climb from the rank of fifth in 2015 to the second-most aggressive banking malware in the first half of 2016.

Redirection attacks are not considered to be a technically complicated task, but they are clever and require ample resources to set up. This is also why redirection attacks are not deployed by all financial malware operators; rather, they are the domain of organized cybercrime.

Redirection attacks are often associated with the resources and capabilities of organized cybergangs that have developers on the team because extra setup and site maintenance is required to pull it off.

The only two groups that launch regular redirection attacks nowadays are GozNym and crews that operate the Dridex banking Trojan. Dridex uses redirection attacks against U.K. and U.S. banks.

GozNym’s Redirection Attacks: More than Meets the Eye

Although redirection schemes have already been effectively implemented in real-world attacks, the team behind the GozNym hybrid built its own special scheme designed to keep the attacks hidden from prying security researchers’ eyes.

GozNym’s redirection attacks share the same end goal as others like it:

  • Seamlessly hijack the victim to a malicious website, cutting them off from security offered by their bank.
  • Keep the attackers’ schemes on a separate website so the malware’s malicious webinjections, if any are involved, are not detected or blocked.
  • Protect the criminal’s modus operandi for much longer, making it hard for banks and security teams to understand how the fraud is being facilitated.

To prepare a successful redirection attack, GozNym has a two-stage process in place. At first, the malware redirects the victim to the fake site replica. It then masks the malicious webpage with a white overlay screen. The second part of the redirection is lifting the overlay and revealing the site replica to the infected user. IBM X-Force researchers believe the odd masking portion of the redirection attack is designed to keep the page looking harmless in an interim stage before it is presented to the victim.

In most cases, GozNym redirects the bank’s home page, but that’s not the only page the malware can redirect. There are cases where other pages are redirected to GozNym’s replica to force the victim to enter their login credentials.

What’s Next for GozNym?

IBM X-Force researchers believe that GozNym is an evolving malware project on the scale of other banking Trojans such as Neverquest and Dridex. The malware is quickly becoming a top global player, ranking fifth in the cybercrime arena for 2016 so far, according to attack volume data reported by IBM Security antifraud solutions.

GozNym’s redirection attacks started off in Poland and spread to the U.S. within two months. We expect that the cybercrime gang will add more bank targets to the redirection configuration, likely after an initial testing period.

IBM X-Force Research will be updating information and indicators of compromise on GozNym via the X-Force Exchange platform. Join XFE today to keep up to date about this threat and other findings from our cybercrime labs.

Relevant Sample MD5

The MD5 hashes are 20D6FE2353F3044D25D4FDC9F2872F39 and E17A79A6F7C8FE7F920DAD8CBCEE3DF0.

Detecting and Stopping GozNym Attacks

IBM Security has studied the GozNym malware and its various attack schemes. Our research can help banks and targeted organizations learn more about this high-risk threat and the best mitigation techniques. Banks and service providers can start by using adaptive malware detection solutions and protect customer endpoints with malware intelligence, which provides real-time insight into fraudster techniques and capabilities

Users looking to prevent malware infections on their endpoints must keep their operating system up to date at all times, update frequently used programs and delete those they no longer use. Since GozNym and banking malware like it are usually delivered as email attachments, it is critically important is to never click on links or attachments in unsolicited email.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

more from Malware

Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine

Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate "Trickbot group" has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine. Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…

Countdown to Ransomware: Analysis of Ransomware Attack Timelines

This research was made possible through the data collection efforts of Maleesha Perera, Joffrin Alexander, and Alana Quinones Garcia. Key Highlights The average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021:  2019: 2+ months — The TrickBot (initial access) to Ryuk (deployment) attack path resulted in a 90% increase in ransomware attacks investigated by X-Force Incident…