ARMONK, N.Y.—A new hybrid Trojan has managed to steal $4 million from financial institutions—with CUs being a primary target—since it was first discovered just over two weeks ago, according to IBM X-Force Research.
Two powerful Trojans, Nymaim and Gozi ISFB, have been combined to create the hybrid GozNym Trojan.
The hybrid Trojan is currently engaged in an active campaign with 72% of targets, including business banking institutions, credit unions and retail banks, IBM X-Force reported. Business banking (28%) and CUs (27%) are the biggest targets, according to IBM X-Force.
“GozNym is an extremely stealthy Trojan combining the best of both Nymaim and Gozi ISFB to create a very problematic threat,” Limor Kessem, a cybersecurity expert with IBM’s X-Force Research division, told Threatpost. “The attack numbers for GozNym have been extremely high given it’s only been around since April.”
Kessem said the Trojan is being delivered primarily via email messages with so-called poisoned macros in a malware-infected attachment. Attackers then manipulate the victim’s browser, steal credentials and transfer money out of their accounts.
The combining of the Trojans, Kessem told Threatpost, is not unheard of and is something the security world has seen in the not so distant past. Kessem said GozNym is a power-patchwork of sorts, where the two codes rely on one another to carry out the malware’s internal operations.
“Together these two Trojans work much more effectively than apart,” Kessem told the publication.
The hybrid GozNym borrows from Nymaim, in that it uses the Trojan’s two-stage malware dropper to infect a system. After it infiltrates a computer, then the Nymaim component of GozNym begins to fetch Gozi ISFB modules that are responsible for the Trojan’s ability to inject a malicious dynamic link library (DLL), according to X-Force.
“Before merging into an actual hybrid, earlier versions of Nymaim used to fetch and inject Gozi ISFB’s financial module as a complete DLL into the infected victim’s browser to enable web-injections on online banking sites,” Kessem wrote in a technical description of the Trojan.
The first merged variant, GozNym, was detected in early April 2016, Kessem said. As for origins of Nymaim and Gozi ISFB; the Gozi Trojan has been behind online banking attacks in late 2007 and was known for its ability to Steals SSL data using advanced Winsock2 functionality, Threatpost stated. The Nymaim Trojan was first spotted in 2013 and identified as ransomware. But, according to X-Force, both Trojans saw their source code leaked allowing a third-party to combine the two creating GozNym earlier this year.