April 14, 2016 By Limor Kessem
Lior Keshet
5 min read

IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym.

The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.

Internally, GozNym works like a double-headed beast, where the two codes rely on one another to carry out the malware’s internal operations. More information about the hybrid’s intertwined operation appears in the technical section of this blog.

Targeting North America

In terms of its current targets, X-Force noted that the GozNym hybrid’s configuration is presently focused on the U.S., targeting 22 banks, credit unions and popular e-commerce platforms. Two financial institutions based in Canada are also on the list. GozNym’s operators’ top target is business accounts.

When Source Codes Collide

How was this hybrid created? GozNym’s source code is composed of two known malware codes, one of which is Gozi ISFB, which leaked in 2010. Gozi ISFB was actually leaked more than once: A second disclosure took place in late 2015, when a modified ISFB code was rumored to have been compromised yet again.

On the Nymaim side, the only group known to possess its source code is the original development team. The most likely scenario is that the Nymaim team obtained the leaked Gozi ISFB code and successfully incorporated it into their own malware to create a combination Trojan for financial fraud attacks.

From Nymaim to GozNym

Nymaim is a two-stage malware dropper. It usually infiltrates computers through exploit kits and then executes the second stage of its payload once it is on the machine, effectively using two executables for the infection routine.

On its own, the Nymaim Trojan is a stealthy, persistent dropper that uses evasion techniques such as encryption, anti-VM, anti-debugging and control flow obfuscation. Although it has dabbled with other banking Trojans in the past, its first tight connection with banking malware began in November 2015; up until then, Nymaim was almost exclusively used as a ransomware dropper.

Nymaim is believed to be operated by a closed group and developed on an ongoing basis by what appears to be the same developer(s). The Trojan has a global reach and launched an untold number of ransomware attacks using its own generic locker on users in Europe, North America and South America, PCWorld reported.

Campaigns linked with the malware were not all documented. However, related data from an independent blogger cited over 2.5 million infections via the Blackhole Exploit Kit (BHEK) in late 2013.


Source: Malware don’t need Coffee

X-Force researchers noticed that Nymaim started fetching a Gozi ISFB module, a webinjection dynamic link library (DLL), and using it to launch online banking attacks in late 2015.

As for the infection vector, some recent cases from 2016 revealed that the Pony loader executed Nymaim, which then fetched Gozi ISFB as a third step in the infection flow. The resulting online banking fraud attempts were detected as Gozi ISFB attacks, even though they originated with Nymaim.

The first merged variant, GozNym, was detected in early April 2016, when new Nymaim samples came embedded with Gozi ISFB code and were recompiled into one malware. In the hybrid form, Nymaim is the first executable launched. It then launches the Gozi ISFB component as the second stage of the malware deployment.

Some Technical Details

Before merging into an actual hybrid, earlier versions of Nymaim used to fetch and inject Gozi ISFB’s financial module as a complete DLL into the infected victim’s browser to enable webinjections on online banking sites. That DLL is about 150 KB and was a valid Portable Executable (PE) file.

More recent versions of Nymaim include altered Gozi ISFB code. Instead of the 150 KB DLL, it now injects a 40 KB buffer into the browser. This buffer still performs Gozi ISFB’s functionality. For example, when it comes to the Export Address Table (EAT), which contains the addresses of modules exposed for consumption by other applications and services, GozNym uses the same hook engine to perform webinjections.

However, there are some pointed differences. For one, the new buffer is not a valid PE file — it has more of a shellcode structure. It constructs its own Import Address Table (IAT) and has no PE headers.

Another difference is that the new buffer is intertwined with Nymaim’s code. We have at least two examples that demonstrate that interoperability: One is where Gozi ISFB calls Nymaim code to obtain strings; the other is where Gozi ISFB’s buffer code needs to perform actions such as memory allocations.

This intertwined construction led us to the conclusion that Nymaim and Gozi ISFB were in fact compiled into one project.

Analyzing the Gozi ISFB Code

To illustrate that, let’s have a look at a comparison between the earlier Gozi ISFB DLL version and the new GozNym buffer code. Both pieces perform the same essential action and are taken from the ISFB hook engine.

Here is the original Gozi ISFB DLL that used to be fetched by Nymaim:

Here is the new GozNym buffer:

In this last figure, we see the new hybrid version’s function jmp_nymaim_code:

This piece of code is called whenever Gozi ISFB requires Nymaim to perform an operation. In our example, it is calling HeapAlloc. The function prepares the required arguments, operation type, allocation size, etc. for Nymaim. Nymaim then performs the action and returns the result to the Gozi ISFB code.

Relevant Sample MD5

The MD5 hash is 2A9093307E667CDB71884ECC1B480245.

Detecting and Stopping GozNym Attacks

The merging of Nymaim and parts of Gozi ISFB has resulted in a new banking Trojan in the wild. This malware is as stealthy and persistent as the Nymaim loader while possessing the Gozi ISFB Trojan’s ability to manipulate Web sessions, resulting in advanced online banking fraud attacks.

IBM Security has studied the GozNym malware and its attack schemes and can help banks and other targeted organizations learn more about this high-risk threat. To help stop threats like GozNym, banks and service providers can use adaptive malware detection solutions and protect customer endpoints with malware intelligence that provides real-time insight into fraudster techniques and capabilities, designed to address the relentless evolution of the threat landscape.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

For technical details on this research and related indicators of compromise, see the X-Force Advisory on X-Force Exchange.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today