The GozNym banking malware, a Trojan hybrid discovered by IBM X-Force in early April, continues to increase its activity against banks in Europe. More recently, the X-Force team discovered redirection attacks launched by the GozNym crew in Germany, targeting 13 banks and their local subsidiaries.

The new redirection schemes come in addition to webinjection-based attacks for all the targeted brands, demonstrating GozNym’s significant investment in German-language attack capabilities.

European Invasion

GozNym has been intensifying its activity across Europe, showing a very sharp peak in activity in August 2016. In numbers, this peak accounts for a 3,550 percent hike since July 2016 and a 526 percent rise compared to the total number of attacks since the birth of the GozNym hybrid (April to July 2016).

Figure 1: GozNym Trojan’s Attack Activity Timeline | Source: IBM Security

The GozNym hybrid emerged in April 2016, launching an aggressive attack campaign on 24 banks in North America. Per X-Force Research, two weeks after the initial discovery, GozNym’s operators began spreading a new configuration designed to target corporate, small and medium businesses banking, investment banking and consumer accounts at Polish banks. That was also when its operators began using redirection attacks for the first time — a rare capability in the cybercrime landscape.

By June 2016, GozNym redirection attacks started appearing in the U.S. Now, two months later, redirection attacks are coming to Germany.

Figure 2: GozNym Trojan’s Attack Activity Timeline | Source: IBM Security

Looking at GozNym’s timeline, it is evident that the gang operating the malware has the resources and savvy to deploy sophisticated cybercrime tactics against banks. The project is very active and evolving rapidly, making it likely to spread to additional countries over time.

Notably, the Dyre gang, the original contriver of malware redirection attacks, only managed to deploy them in English-speaking countries and in Spain. GozNym’s operators already have three distinct geographies under attack — in three different languages and in countries that have different banking systems.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Cybercrime Is All the Rage in Germany

IBM X-Force analysts looked into current underground trends focused on the German financial sector and have found that the topic is rather trendy.

Fraudsters target Germany in the same way that they target other geographies: They look for bank account credentials, SMS interception schemes and accomplices to work with on the cashing out of stolen funds.

The overall chatter is quite indicative of the fact that cybercriminals have the same interest in German banks as they do in other parts of Europe, adapting their schemes to the local banking systems to avoid detection and failed fraud attempts.

A Rapidly Evolving, Expanding Threat

GozNym is a hybrid banking Trojan believed to be created by the cybergang that operates the Nymaim dropper. The original group has been active since 2013, using its malware to launch vast ransomware campaigns that resulted in millions of infected endpoints around the globe.

With the new GozNym Trojan and the fresh attack schemes added to the malware in the past few months, it is clear that GozNym attacks are evolving quickly, turning it into a serious player in the financial threat landscape. IBM X-Force Research expects to see further rises in GozNym attacks in the coming weeks,as well as the expansion of redirection attacks to additional banks in the near future.

From a global perspective, GozNym attack volumes, as monitored by IBM Security, have been rising. The malware already ranks eighth on the top 10 most active financial Trojans list, adjacent to longer-standing malware gangs such as Tinba, Rovnix and GootKit.

Figure 3: Most Active Financial Malware Global Aug 2016 YTD | Source: IBM Security

Stopping GozNym Attacks in Their Tracks

IBM Security has studied GozNym malware and its various attack schemes, and we can help banks and other targeted organizations learn more about this high-risk threat. Banks and service providers can take steps toward stopping threats such as GozNym by utilizing adaptive malware detection solutions.

Users can prevent malware infections on their endpoints by making sure their operating systems are up to date, updating frequently used programs and deleting programs they don’t use. Sites typically used as infection hubs should be avoided.

As always, be sure never to click on links or open attachments in unsolicited email. Additionally, users should never access their personal accounts from public computers.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read