Research for this post was facilitated by Gal Meiri.

IBM X-Force researchers who study cybercrime threats and malware configurations report that the GozNym banking malware, a Trojan hybrid previously covered in early April, is expanding the reach of its nefarious redirection attacks to the U.S.

Not two months after setting up and launching redirection attacks on banks in Poland, GozNym’s operators are testing those out on four of the largest banks in the U.S. Unsurprisingly for GozNym, the attackers are focusing the malware’s configuration on business banking services.

The list of redirection targets appears limited at this time, but past cases such as Dridex’s redirection campaigns prove that these attacks often begin with a few targets and then expand.

What’s in a Redirection Attack?

The overall idea behind redirection attacks is to hijack malware-infected users to a website that looks exactly like their bank’s site and having them log into their account in a completely unprotected environment.

The victim’s credentials are stolen on the fake site in real time, tested against the bank’s genuine home page and used to initiate a fraudulent money transfer out of the account. Moreover, the victim is kept on the fake website, where the attacker can push social engineering notifications to them, making them divulge personally identifiable information (PII) and two-factor authentication elements.

It’s important to note that the bank’s website is not being compromised in any way; rather, the victim is redirected from it immediately. The fake sites are perfect replicas, hosted on servers the cybercriminals control. They also present the correct URL in the address bar and even show the bank’s SSL certificate on the top bar. The latter is a technical trick programmed to pull the certificate from the genuine website to the fake one.

Take Dyre and Dridex for example: The redirection capability was a major differentiator for these two gangs. In Dyre’s case, it resulted in the threat claiming the top position as 2015’s most aggressive malware by attack volume, according to IBM Trusteer data. For Dridex, redirection attacks contributed to its climb from the rank of fifth in 2015 to the second-most aggressive banking malware in the first half of 2016.

Redirection attacks are not considered to be a technically complicated task, but they are clever and require ample resources to set up. This is also why redirection attacks are not deployed by all financial malware operators; rather, they are the domain of organized cybercrime.

Redirection attacks are often associated with the resources and capabilities of organized cybergangs that have developers on the team because extra setup and site maintenance is required to pull it off.

The only two groups that launch regular redirection attacks nowadays are GozNym and crews that operate the Dridex banking Trojan. Dridex uses redirection attacks against U.K. and U.S. banks.

GozNym’s Redirection Attacks: More than Meets the Eye

Although redirection schemes have already been effectively implemented in real-world attacks, the team behind the GozNym hybrid built its own special scheme designed to keep the attacks hidden from prying security researchers’ eyes.

GozNym’s redirection attacks share the same end goal as others like it:

  • Seamlessly hijack the victim to a malicious website, cutting them off from security offered by their bank.
  • Keep the attackers’ schemes on a separate website so the malware’s malicious webinjections, if any are involved, are not detected or blocked.
  • Protect the criminal’s modus operandi for much longer, making it hard for banks and security teams to understand how the fraud is being facilitated.

To prepare a successful redirection attack, GozNym has a two-stage process in place. At first, the malware redirects the victim to the fake site replica. It then masks the malicious webpage with a white overlay screen. The second part of the redirection is lifting the overlay and revealing the site replica to the infected user. IBM X-Force researchers believe the odd masking portion of the redirection attack is designed to keep the page looking harmless in an interim stage before it is presented to the victim.

In most cases, GozNym redirects the bank’s home page, but that’s not the only page the malware can redirect. There are cases where other pages are redirected to GozNym’s replica to force the victim to enter their login credentials.

What’s Next for GozNym?

IBM X-Force researchers believe that GozNym is an evolving malware project on the scale of other banking Trojans such as Neverquest and Dridex. The malware is quickly becoming a top global player, ranking fifth in the cybercrime arena for 2016 so far, according to attack volume data reported by IBM Security antifraud solutions.

GozNym’s redirection attacks started off in Poland and spread to the U.S. within two months. We expect that the cybercrime gang will add more bank targets to the redirection configuration, likely after an initial testing period.

IBM X-Force Research will be updating information and indicators of compromise on GozNym via the X-Force Exchange platform. Join XFE today to keep up to date about this threat and other findings from our cybercrime labs.

Relevant Sample MD5

The MD5 hashes are 20D6FE2353F3044D25D4FDC9F2872F39 and E17A79A6F7C8FE7F920DAD8CBCEE3DF0.

Detecting and Stopping GozNym Attacks

IBM Security has studied the GozNym malware and its various attack schemes. Our research can help banks and targeted organizations learn more about this high-risk threat and the best mitigation techniques. Banks and service providers can start by using adaptive malware detection solutions and protect customer endpoints with malware intelligence, which provides real-time insight into fraudster techniques and capabilities

Users looking to prevent malware infections on their endpoints must keep their operating system up to date at all times, update frequently used programs and delete those they no longer use. Since GozNym and banking malware like it are usually delivered as email attachments, it is critically important is to never click on links or attachments in unsolicited email.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today