Banking Trojans merge to steal over $4m in just a few days

IBM has discovered a new piece of malware that has managed to steal $4 million from more than 24 American and Canadian banks in just a few days. 

The hackers combined code from two malware types, known as Nymaim and Gozi, to create GozNym, a persistenet and powerful 'chimera' Trojan of the two.

Numerous credit unions, business banking institutions, retail banks and popular e-commerce platforms were also said to have been targeted, with the Trojan currently engaged in an active campaign with 72% of targets.

Limor Kessem, a cyber security expert with IBM's X-Force Research devision, said in an interview with Threatpost that 'GozNym is an extremely stealthy Trojan combining the best of both Nymaim and Gozi ISFB to create a very problematic threat.'

'The attack numbers for GozNym have been extremely high given it’s only been around since April,' said Kessem.

According to IBM's researchers, the Trojan is being delivered primarily via email messages containing malware-infected macros. Attackerscan then break into the victim's browser, steal credentials and get into their bank accounts.

Another source with knowledge of the malware, who asked to remain anonymous, told Forbes yesterday that GozNym was also active in Asia and Europe but appeared to target American banks with overseas operations.

It's not the first time malware has merged to form a powerful Trojan that combines the strengths of both – last year's Shifu Trojan emerged from several years' worth of malware that included Dridex, Zeus, Gozi, Shiz and others, to attack 14 Japanese banks and electronuc banking platforms across Europe. 

Last week, Security firm Proofpoint published findings that a threat actor sent approximately a third of a million highly personalised phishing emails in an attempt to deliver a number of malware payloads, and Nyamaim was part of that scheme.

'Earlier this year we uncovered that Nymaim had switched from delivering ransomware to delivering banking Trojans,' said Bryan Burns, VP of Threat Research at Proofpoint. 'These campaigns primarily use malicious document attachments, and occasionally malicious URLs, as they try to infiltrate systems. We see these infection attempts on a regular basis and stop the attacks before they reach our customers.'

'Bad actors are specifically targeting financial organisations and employees who have a higher chance of interacting with banking websites on behalf of the company.'

Travis Smith, senior security research engineer at Tripwire explained to Information Age that cyber criminals have specialties just like their white hat counterparts:  

'By taking bits of code from different pieces of malware, they are able to create their malicious payload quicker than writing everything from scratch. This will reduce their time to exploit and increase potential profits from criminal activity.'

'Data is the currency of the 21st century, however criminals are still interested in real currency as well. Banks and e-commerce sites face attacks from criminals seeking both sets of currency,' said Smith.

He advised that organisations monitor critical systems for suspicious changes as well as limit network connectivity to prevent data leakage in the event of a breach.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach