IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym.

The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.

Internally, GozNym works like a double-headed beast, where the two codes rely on one another to carry out the malware’s internal operations. More information about the hybrid’s intertwined operation appears in the technical section of this blog.

Targeting North America

In terms of its current targets, X-Force noted that the GozNym hybrid’s configuration is presently focused on the U.S., targeting 22 banks, credit unions and popular e-commerce platforms. Two financial institutions based in Canada are also on the list. GozNym’s operators’ top target is business accounts.

When Source Codes Collide

How was this hybrid created? GozNym’s source code is composed of two known malware codes, one of which is Gozi ISFB, which leaked in 2010. Gozi ISFB was actually leaked more than once: A second disclosure took place in late 2015, when a modified ISFB code was rumored to have been compromised yet again.

On the Nymaim side, the only group known to possess its source code is the original development team. The most likely scenario is that the Nymaim team obtained the leaked Gozi ISFB code and successfully incorporated it into their own malware to create a combination Trojan for financial fraud attacks.

From Nymaim to GozNym

Nymaim is a two-stage malware dropper. It usually infiltrates computers through exploit kits and then executes the second stage of its payload once it is on the machine, effectively using two executables for the infection routine.

On its own, the Nymaim Trojan is a stealthy, persistent dropper that uses evasion techniques such as encryption, anti-VM, anti-debugging and control flow obfuscation. Although it has dabbled with other banking Trojans in the past, its first tight connection with banking malware began in November 2015; up until then, Nymaim was almost exclusively used as a ransomware dropper.

Nymaim is believed to be operated by a closed group and developed on an ongoing basis by what appears to be the same developer(s). The Trojan has a global reach and launched an untold number of ransomware attacks using its own generic locker on users in Europe, North America and South America, PCWorld reported.

Campaigns linked with the malware were not all documented. However, related data from an independent blogger cited over 2.5 million infections via the Blackhole Exploit Kit (BHEK) in late 2013.

Source: Malware don’t need Coffee

X-Force researchers noticed that Nymaim started fetching a Gozi ISFB module, a webinjection dynamic link library (DLL), and using it to launch online banking attacks in late 2015.

As for the infection vector, some recent cases from 2016 revealed that the Pony loader executed Nymaim, which then fetched Gozi ISFB as a third step in the infection flow. The resulting online banking fraud attempts were detected as Gozi ISFB attacks, even though they originated with Nymaim.

The first merged variant, GozNym, was detected in early April 2016, when new Nymaim samples came embedded with Gozi ISFB code and were recompiled into one malware. In the hybrid form, Nymaim is the first executable launched. It then launches the Gozi ISFB component as the second stage of the malware deployment.

Some Technical Details

Before merging into an actual hybrid, earlier versions of Nymaim used to fetch and inject Gozi ISFB’s financial module as a complete DLL into the infected victim’s browser to enable webinjections on online banking sites. That DLL is about 150 KB and was a valid Portable Executable (PE) file.

More recent versions of Nymaim include altered Gozi ISFB code. Instead of the 150 KB DLL, it now injects a 40 KB buffer into the browser. This buffer still performs Gozi ISFB’s functionality. For example, when it comes to the Export Address Table (EAT), which contains the addresses of modules exposed for consumption by other applications and services, GozNym uses the same hook engine to perform webinjections.

However, there are some pointed differences. For one, the new buffer is not a valid PE file — it has more of a shellcode structure. It constructs its own Import Address Table (IAT) and has no PE headers.

Another difference is that the new buffer is intertwined with Nymaim’s code. We have at least two examples that demonstrate that interoperability: One is where Gozi ISFB calls Nymaim code to obtain strings; the other is where Gozi ISFB’s buffer code needs to perform actions such as memory allocations.

This intertwined construction led us to the conclusion that Nymaim and Gozi ISFB were in fact compiled into one project.

Analyzing the Gozi ISFB Code

To illustrate that, let’s have a look at a comparison between the earlier Gozi ISFB DLL version and the new GozNym buffer code. Both pieces perform the same essential action and are taken from the ISFB hook engine.

Here is the original Gozi ISFB DLL that used to be fetched by Nymaim:

Here is the new GozNym buffer:

In this last figure, we see the new hybrid version’s function jmp_nymaim_code:

This piece of code is called whenever Gozi ISFB requires Nymaim to perform an operation. In our example, it is calling HeapAlloc. The function prepares the required arguments, operation type, allocation size, etc. for Nymaim. Nymaim then performs the action and returns the result to the Gozi ISFB code.

Relevant Sample MD5

The MD5 hash is 2A9093307E667CDB71884ECC1B480245.

Detecting and Stopping GozNym Attacks

The merging of Nymaim and parts of Gozi ISFB has resulted in a new banking Trojan in the wild. This malware is as stealthy and persistent as the Nymaim loader while possessing the Gozi ISFB Trojan’s ability to manipulate Web sessions, resulting in advanced online banking fraud attacks.

IBM Security has studied the GozNym malware and its attack schemes and can help banks and other targeted organizations learn more about this high-risk threat. To help stop threats like GozNym, banks and service providers can use adaptive malware detection solutions and protect customer endpoints with malware intelligence that provides real-time insight into fraudster techniques and capabilities, designed to address the relentless evolution of the threat landscape.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

For technical details on this research and related indicators of compromise, see the X-Force Advisory on X-Force Exchange.

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…