The GozNym banking malware, a Trojan hybrid discovered by IBM X-Force in early April, continues to increase its activity against banks in Europe. More recently, the X-Force team discovered redirection attacks launched by the GozNym crew in Germany, targeting 13 banks and their local subsidiaries.

The new redirection schemes come in addition to webinjection-based attacks for all the targeted brands, demonstrating GozNym’s significant investment in German-language attack capabilities.

European Invasion

GozNym has been intensifying its activity across Europe, showing a very sharp peak in activity in August 2016. In numbers, this peak accounts for a 3,550 percent hike since July 2016 and a 526 percent rise compared to the total number of attacks since the birth of the GozNym hybrid (April to July 2016).

Figure 1: GozNym Trojan’s Attack Activity Timeline | Source: IBM Security

The GozNym hybrid emerged in April 2016, launching an aggressive attack campaign on 24 banks in North America. Per X-Force Research, two weeks after the initial discovery, GozNym’s operators began spreading a new configuration designed to target corporate, small and medium businesses banking, investment banking and consumer accounts at Polish banks. That was also when its operators began using redirection attacks for the first time — a rare capability in the cybercrime landscape.

By June 2016, GozNym redirection attacks started appearing in the U.S. Now, two months later, redirection attacks are coming to Germany.

Figure 2: GozNym Trojan’s Attack Activity Timeline | Source: IBM Security

Looking at GozNym’s timeline, it is evident that the gang operating the malware has the resources and savvy to deploy sophisticated cybercrime tactics against banks. The project is very active and evolving rapidly, making it likely to spread to additional countries over time.

Notably, the Dyre gang, the original contriver of malware redirection attacks, only managed to deploy them in English-speaking countries and in Spain. GozNym’s operators already have three distinct geographies under attack — in three different languages and in countries that have different banking systems.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Cybercrime Is All the Rage in Germany

IBM X-Force analysts looked into current underground trends focused on the German financial sector and have found that the topic is rather trendy.

Fraudsters target Germany in the same way that they target other geographies: They look for bank account credentials, SMS interception schemes and accomplices to work with on the cashing out of stolen funds.

The overall chatter is quite indicative of the fact that cybercriminals have the same interest in German banks as they do in other parts of Europe, adapting their schemes to the local banking systems to avoid detection and failed fraud attempts.

A Rapidly Evolving, Expanding Threat

GozNym is a hybrid banking Trojan believed to be created by the cybergang that operates the Nymaim dropper. The original group has been active since 2013, using its malware to launch vast ransomware campaigns that resulted in millions of infected endpoints around the globe.

With the new GozNym Trojan and the fresh attack schemes added to the malware in the past few months, it is clear that GozNym attacks are evolving quickly, turning it into a serious player in the financial threat landscape. IBM X-Force Research expects to see further rises in GozNym attacks in the coming weeks,as well as the expansion of redirection attacks to additional banks in the near future.

From a global perspective, GozNym attack volumes, as monitored by IBM Security, have been rising. The malware already ranks eighth on the top 10 most active financial Trojans list, adjacent to longer-standing malware gangs such as Tinba, Rovnix and GootKit.

Figure 3: Most Active Financial Malware Global Aug 2016 YTD | Source: IBM Security

Stopping GozNym Attacks in Their Tracks

IBM Security has studied GozNym malware and its various attack schemes, and we can help banks and other targeted organizations learn more about this high-risk threat. Banks and service providers can take steps toward stopping threats such as GozNym by utilizing adaptive malware detection solutions.

Users can prevent malware infections on their endpoints by making sure their operating systems are up to date, updating frequently used programs and deleting programs they don’t use. Sites typically used as infection hubs should be avoided.

As always, be sure never to click on links or open attachments in unsolicited email. Additionally, users should never access their personal accounts from public computers.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Banking & Finance

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today