The GozNym banking malware, a Trojan hybrid discovered by IBM X-Force in early April, continues to increase its activity against banks in Europe. More recently, the X-Force team discovered redirection attacks launched by the GozNym crew in Germany, targeting 13 banks and their local subsidiaries.

The new redirection schemes come in addition to webinjection-based attacks for all the targeted brands, demonstrating GozNym’s significant investment in German-language attack capabilities.

European Invasion

GozNym has been intensifying its activity across Europe, showing a very sharp peak in activity in August 2016. In numbers, this peak accounts for a 3,550 percent hike since July 2016 and a 526 percent rise compared to the total number of attacks since the birth of the GozNym hybrid (April to July 2016).

Figure 1: GozNym Trojan’s Attack Activity Timeline | Source: IBM Security

The GozNym hybrid emerged in April 2016, launching an aggressive attack campaign on 24 banks in North America. Per X-Force Research, two weeks after the initial discovery, GozNym’s operators began spreading a new configuration designed to target corporate, small and medium businesses banking, investment banking and consumer accounts at Polish banks. That was also when its operators began using redirection attacks for the first time — a rare capability in the cybercrime landscape.

By June 2016, GozNym redirection attacks started appearing in the U.S. Now, two months later, redirection attacks are coming to Germany.

Figure 2: GozNym Trojan’s Attack Activity Timeline | Source: IBM Security

Looking at GozNym’s timeline, it is evident that the gang operating the malware has the resources and savvy to deploy sophisticated cybercrime tactics against banks. The project is very active and evolving rapidly, making it likely to spread to additional countries over time.

Notably, the Dyre gang, the original contriver of malware redirection attacks, only managed to deploy them in English-speaking countries and in Spain. GozNym’s operators already have three distinct geographies under attack — in three different languages and in countries that have different banking systems.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Cybercrime Is All the Rage in Germany

IBM X-Force analysts looked into current underground trends focused on the German financial sector and have found that the topic is rather trendy.

Fraudsters target Germany in the same way that they target other geographies: They look for bank account credentials, SMS interception schemes and accomplices to work with on the cashing out of stolen funds.

The overall chatter is quite indicative of the fact that cybercriminals have the same interest in German banks as they do in other parts of Europe, adapting their schemes to the local banking systems to avoid detection and failed fraud attempts.

A Rapidly Evolving, Expanding Threat

GozNym is a hybrid banking Trojan believed to be created by the cybergang that operates the Nymaim dropper. The original group has been active since 2013, using its malware to launch vast ransomware campaigns that resulted in millions of infected endpoints around the globe.

With the new GozNym Trojan and the fresh attack schemes added to the malware in the past few months, it is clear that GozNym attacks are evolving quickly, turning it into a serious player in the financial threat landscape. IBM X-Force Research expects to see further rises in GozNym attacks in the coming weeks,as well as the expansion of redirection attacks to additional banks in the near future.

From a global perspective, GozNym attack volumes, as monitored by IBM Security, have been rising. The malware already ranks eighth on the top 10 most active financial Trojans list, adjacent to longer-standing malware gangs such as Tinba, Rovnix and GootKit.

Figure 3: Most Active Financial Malware Global Aug 2016 YTD | Source: IBM Security

Stopping GozNym Attacks in Their Tracks

IBM Security has studied GozNym malware and its various attack schemes, and we can help banks and other targeted organizations learn more about this high-risk threat. Banks and service providers can take steps toward stopping threats such as GozNym by utilizing adaptive malware detection solutions.

Users can prevent malware infections on their endpoints by making sure their operating systems are up to date, updating frequently used programs and deleting programs they don’t use. Sites typically used as infection hubs should be avoided.

As always, be sure never to click on links or open attachments in unsolicited email. Additionally, users should never access their personal accounts from public computers.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…