The GozNym banking malware, a Trojan hybrid discovered by IBM X-Force in early April, continues to increase its activity against banks in Europe. More recently, the X-Force team discovered redirection attacks launched by the GozNym crew in Germany, targeting 13 banks and their local subsidiaries.

The new redirection schemes come in addition to webinjection-based attacks for all the targeted brands, demonstrating GozNym’s significant investment in German-language attack capabilities.

European Invasion

GozNym has been intensifying its activity across Europe, showing a very sharp peak in activity in August 2016. In numbers, this peak accounts for a 3,550 percent hike since July 2016 and a 526 percent rise compared to the total number of attacks since the birth of the GozNym hybrid (April to July 2016).

Figure 1: GozNym Trojan’s Attack Activity Timeline | Source: IBM Security

The GozNym hybrid emerged in April 2016, launching an aggressive attack campaign on 24 banks in North America. Per X-Force Research, two weeks after the initial discovery, GozNym’s operators began spreading a new configuration designed to target corporate, small and medium businesses banking, investment banking and consumer accounts at Polish banks. That was also when its operators began using redirection attacks for the first time — a rare capability in the cybercrime landscape.

By June 2016, GozNym redirection attacks started appearing in the U.S. Now, two months later, redirection attacks are coming to Germany.

Figure 2: GozNym Trojan’s Attack Activity Timeline | Source: IBM Security

Looking at GozNym’s timeline, it is evident that the gang operating the malware has the resources and savvy to deploy sophisticated cybercrime tactics against banks. The project is very active and evolving rapidly, making it likely to spread to additional countries over time.

Notably, the Dyre gang, the original contriver of malware redirection attacks, only managed to deploy them in English-speaking countries and in Spain. GozNym’s operators already have three distinct geographies under attack — in three different languages and in countries that have different banking systems.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Cybercrime Is All the Rage in Germany

IBM X-Force analysts looked into current underground trends focused on the German financial sector and have found that the topic is rather trendy.

Fraudsters target Germany in the same way that they target other geographies: They look for bank account credentials, SMS interception schemes and accomplices to work with on the cashing out of stolen funds.

The overall chatter is quite indicative of the fact that cybercriminals have the same interest in German banks as they do in other parts of Europe, adapting their schemes to the local banking systems to avoid detection and failed fraud attempts.

A Rapidly Evolving, Expanding Threat

GozNym is a hybrid banking Trojan believed to be created by the cybergang that operates the Nymaim dropper. The original group has been active since 2013, using its malware to launch vast ransomware campaigns that resulted in millions of infected endpoints around the globe.

With the new GozNym Trojan and the fresh attack schemes added to the malware in the past few months, it is clear that GozNym attacks are evolving quickly, turning it into a serious player in the financial threat landscape. IBM X-Force Research expects to see further rises in GozNym attacks in the coming weeks,as well as the expansion of redirection attacks to additional banks in the near future.

From a global perspective, GozNym attack volumes, as monitored by IBM Security, have been rising. The malware already ranks eighth on the top 10 most active financial Trojans list, adjacent to longer-standing malware gangs such as Tinba, Rovnix and GootKit.

Figure 3: Most Active Financial Malware Global Aug 2016 YTD | Source: IBM Security

Stopping GozNym Attacks in Their Tracks

IBM Security has studied GozNym malware and its various attack schemes, and we can help banks and other targeted organizations learn more about this high-risk threat. Banks and service providers can take steps toward stopping threats such as GozNym by utilizing adaptive malware detection solutions.

Users can prevent malware infections on their endpoints by making sure their operating systems are up to date, updating frequently used programs and deleting programs they don’t use. Sites typically used as infection hubs should be avoided.

As always, be sure never to click on links or open attachments in unsolicited email. Additionally, users should never access their personal accounts from public computers.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today