GozNym’s Euro Trip: Launching Redirection Attacks in Germany

The GozNym banking malware, a Trojan hybrid discovered by IBM X-Force in early April, continues to increase its activity against banks in Europe. More recently, the X-Force team discovered redirection attacks launched by the GozNym crew in Germany, targeting 13 banks and their local subsidiaries.

The new redirection schemes come in addition to webinjection-based attacks for all the targeted brands, demonstrating GozNym’s significant investment in German-language attack capabilities.

European Invasion

GozNym has been intensifying its activity across Europe, showing a very sharp peak in activity in August 2016. In numbers, this peak accounts for a 3,550 percent hike since July 2016 and a 526 percent rise compared to the total number of attacks since the birth of the GozNym hybrid (April to July 2016).

goznym attacks germany-1

Figure 1: GozNym Trojan’s Attack Activity Timeline | Source: IBM Security

The GozNym hybrid emerged in April 2016, launching an aggressive attack campaign on 24 banks in North America. Per X-Force Research, two weeks after the initial discovery, GozNym’s operators began spreading a new configuration designed to target corporate, small and medium businesses banking, investment banking and consumer accounts at Polish banks. That was also when its operators began using redirection attacks for the first time — a rare capability in the cybercrime landscape.

By June 2016, GozNym redirection attacks started appearing in the U.S. Now, two months later, redirection attacks are coming to Germany.

goznym attacks germany-2

Figure 2: GozNym Trojan’s Attack Activity Timeline | Source: IBM Security

Looking at GozNym’s timeline, it is evident that the gang operating the malware has the resources and savvy to deploy sophisticated cybercrime tactics against banks. The project is very active and evolving rapidly, making it likely to spread to additional countries over time.

Notably, the Dyre gang, the original contriver of malware redirection attacks, only managed to deploy them in English-speaking countries and in Spain. GozNym’s operators already have three distinct geographies under attack — in three different languages and in countries that have different banking systems.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Cybercrime Is All the Rage in Germany

IBM X-Force analysts looked into current underground trends focused on the German financial sector and have found that the topic is rather trendy.

Fraudsters target Germany in the same way that they target other geographies: They look for bank account credentials, SMS interception schemes and accomplices to work with on the cashing out of stolen funds.

The overall chatter is quite indicative of the fact that cybercriminals have the same interest in German banks as they do in other parts of Europe, adapting their schemes to the local banking systems to avoid detection and failed fraud attempts.

A Rapidly Evolving, Expanding Threat

GozNym is a hybrid banking Trojan believed to be created by the cybergang that operates the Nymaim dropper. The original group has been active since 2013, using its malware to launch vast ransomware campaigns that resulted in millions of infected endpoints around the globe.

With the new GozNym Trojan and the fresh attack schemes added to the malware in the past few months, it is clear that GozNym attacks are evolving quickly, turning it into a serious player in the financial threat landscape. IBM X-Force Research expects to see further rises in GozNym attacks in the coming weeks,as well as the expansion of redirection attacks to additional banks in the near future.

From a global perspective, GozNym attack volumes, as monitored by IBM Security, have been rising. The malware already ranks eighth on the top 10 most active financial Trojans list, adjacent to longer-standing malware gangs such as Tinba, Rovnix and GootKit.

Goznym_Families_YTD

Figure 3: Most Active Financial Malware Global Aug 2016 YTD | Source: IBM Security

Stopping GozNym Attacks in Their Tracks

IBM Security has studied GozNym malware and its various attack schemes, and we can help banks and other targeted organizations learn more about this high-risk threat. Banks and service providers can take steps toward stopping threats such as GozNym by utilizing adaptive malware detection solutions.

Users can prevent malware infections on their endpoints by making sure their operating systems are up to date, updating frequently used programs and deleting programs they don’t use. Sites typically used as infection hubs should be avoided.

As always, be sure never to click on links or open attachments in unsolicited email. Additionally, users should never access their personal accounts from public computers.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.