Home / malware GOZNYM
First posted on 17 June 2019.
Source: SecurityHomeAliases :
There are no other names known for GOZNYM.
Explanation :
A Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code.
The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper's stealth and persistence; the Gozi ISFB parts add the banking Trojan's capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.
Some Technical Details
Before merging into an actual hybrid, earlier versions of Nymaim used to fetch and inject Gozi ISFB's financial module as a complete DLL into the infected victim's browser to enable webinjections on online banking sites. That DLL is about 150 KB and was a valid Portable Executable (PE) file.
More recent versions of Nymaim include altered Gozi ISFB code. Instead of the 150 KB DLL, it now injects a 40 KB buffer into the browser. This buffer still performs Gozi ISFB's functionality. For example, when it comes to the Export Address Table (EAT), which contains the addresses of modules exposed for consumption by other applications and services, GozNym uses the same hook engine to perform webinjections.
However, there are some pointed differences. For one, the new buffer is not a valid PE file - it has more of a shellcode structure. It constructs its own Import Address Table (IAT) and has no PE headers.
Another difference is that the new buffer is intertwined with Nymaim's code. We have at least two examples that demonstrate that interoperability: One is where Gozi ISFB calls Nymaim code to obtain strings; the other is where Gozi ISFB's buffer code needs to perform actions such as memory allocations.
This intertwined construction led us to the conclusion that Nymaim and Gozi ISFB were in fact compiled into one project.
Analyzing the Gozi ISFB Code
To illustrate that, let's have a look at a comparison between the earlier Gozi ISFB DLL version and the new GozNym buffer code. Both pieces perform the same essential action and are taken from the ISFB hook engine
The GozNym network exemplified the concept of "cybercrime as a service," with different criminal services such as bulletproof hosters, money mules networks, crypters, spammers, coders, organizers, and technical support.
HIGHLY SPECIALISED AND INTERNATIONAL CRIMINAL NETWORK
- A member of the network who encrypted GozNym malware to enable it to avoid detection by anti-virus tools and protective software on victims computers is being prosecuted in Moldova by the Prosecutor General of the Republic of Moldova and the General Police Inspectorate of the Republic of Moldova.
- Another member from Bulgaria was already arrested by the Bulgarian authorities and extradited to the United States in December 2016 to face prosecution in Pittsburgh. His primary role in the conspiracy was that of a "casher" or "account takeover specialist" who used victims stolen online banking credentials captured by GozNym malware to access victims online bank accounts and attempt to steal victims money.
- Several members of the network provided money-laundering services and were known as "cash-outs" or "drop masters." These individuals, including two from Russia and one from Ukraine, provided fellow members of the conspiracy with access to bank accounts they controlled that were designated to receive stolen funds from GozNym victims online bank accounts.
- The five Russian nationals charged in the Indictment remain on the run. In addition to the two "drop masters" referenced above, these defendants include the developer of GozNym malware who oversaw its creation, development, management and leasing to other cybercriminals.
- Another Russian GozNym member conducted spamming operations on behalf of the conspiracy. The spamming operations involved the mass distribution of GozNym malware through "phishing" emails. The phishing emails were designed to appear legitimate to entice the victim recipients into opening them and clicking on a malicious link or attachment which facilitated the downloading of GozNym onto the victims computers.
- Another Russian-born member of the network was a "casher" or "account takeover specialist." Like the Bulgarian defendant, he used victims stolen online banking credentials captured by GozNym malware to access victims online bank accounts and attempt to steal victims money through electronic funds transfers into bank accounts controlled by fellow conspirators.
AVALANCHE NETWORK
Bulletproof hosting services were provided to the GozNym criminal network by an administrator of the "Avalanche" network. The Avalanche network provided services to more than 200 cybercriminals, and hosted more than twenty different malware campaigns, including GozNym. The administrator's apartment in Poltava, Ukraine, was searched in November 2016 during a German-led operation to dismantle the network's servers and other infrastructure. Through the coordinated efforts being announced today, this alleged cybercriminal is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.Last update 17 June 2019
