How did ahybrid Trojan steal $4 million from two dozen U.S. and Canadianfinancial institutions within days?

The GozNym hybrid, part banking Trojan and part ransomware,combines features of Nymaim and Gozi ISFB malware to create apowerful Trojan, IBM Executive Security Advisor Limor Kessem saidin an IBM alert. GozNym worked like a double-headed beast, wherethe two codes relied on one another to carry out the malware'sinternal operations, he said.

In terms of the Trojan's targets, IBM X-Force Research, whichuncovered the hybrid malware, noted the GozNym hybrid's configurationtargeted U.S. banks, credit unions and popular e-commerceplatforms. Two Canadian financial institutions were also on thelist.

“The new GozNym Trojan is the combination of Nymaim and Gozi, aprevious version of Vawtrak, also currently used to attack banks,”Pablo de la Riva Ferrezuelo, CTO and founder of buguroo, a threatintelligence startup spun out of Deloitte's European SecurityOperations Center, said. “Though the combination creates a newmalware with evolutions in some of the techniques, it still hassomething in common: Dynamic web injects in the end userbrowser.”

De la Riva Ferrezuelo provided an overview of how the hybridmalware works.

1. Typically, a user receives a spear phishing email with a Worddocument attached. Real case examples are shown below.

2. The attacker attempts to fool the user bysaying that the document was created in an older version and askingthem to accept it. Once the user clicks, this enables the macros,which executes a VBScript (a version of Microsoft's Visual Basicprogramming language) that downloads the dropper. Nymaim, firstuncovered in 2013, is a dropper, mainly employed to install othermalware, usually ransomware, once it has infiltrated a PC via abrowser-based attack.

3. Once the dropper is working, Nymaim can download the otherpieces, in this case, the Gozi ISFB.

“One of the new tricks here is that this specific campaign has amodification of the Nymaim malware that is only using the webinjects piece instead of the full capabilities; this stops someantivirus solutions from detecting it like before,” de la RivaFerrezuelo said. This has been happening since the end of lastyear, when GozNym started to be distributed.

4. When the Gozi ISFB is running, dynamic web injects interactwith the user browser, adding additional fraudulent contents.

5. Depending on the campaign, the new attack content can includecapturing additional user information, like a second authenticationfactor. In this example, the criminals have the credentials, sothey usually sell them on the black market. After that, othercriminals use that data to move money into mule accounts.

“Most commonly, the malware guides the user to stop a fraudulenttransaction, but what it's really doing is launching a realfraudulent transaction to a mule account. This is one of the mostcommon ways to move the money,” the buguroo CTO explained.

6. A dedicated team updates and changes the mule accountscontinuously.

“These people are not involved with the malware attacks and onlywork on making sure these accounts are available to the hackers,using fake names and addresses,” De la Riva Ferrezuelo pointed out.This guarantees that accounts are available when needed and ensuresno traceability is possible when security analysts attempt tofollow and recover the money and identify the attackers.

De la Riva Ferrezuelo said online fraud detection solutionscould help credit unions. However, some of the less advancedsolutions only focus on signatures or basics patterns and can onlyprotect against already-known Trojans based on old-fashionedtechniques.

“GozNym is a perfect example of why financial institutions needtechnologies that can stop even zero-day malware,” he added.