Banking trojan borrows trick from Dyre and Dridex

Jun 22, 2016 22:50 GMT  ·  By

GozNym, a banking trojan discovered only two months back, has added a new trick to its arsenal and is using it to target high-level business banking services in the US.

IBM's X-Force security team discovered GozNym in April 2016, when they detected the trojan targeting customers of financial institutions in the US and Canada.

In its initial versions, the trojan was using a technique called Web injections, which relies on malicious DLLs loaded in the user's browser to show overlays on top of the page, when visiting a banking portal supported by the trojan's modules.

Web injection attacks are common, and GozNym's Web injects are inherited from the Gozi banking trojan. In fact, GozNym's name comes from a combination of Gozi and Nymaim, a malware dropper.

GozNym added support for redirection attacks in April

Two weeks after IBM published its findings on GozNym's tactics, the crooks behind the malware added a new wrinkle to their mode of operation.

GozNym started using a technique called "redirection attacks." The trojan deployed this attack initially only in Poland, targeting 230 URLs belonging to 17 financial institutions.

A redirection attack occurs when the malware redirects the user to a fake banking portal, one managed by the crooks. In order to trick users, attackers use the malware to show the correct URL and the bank's real SSL certificate in the browser address bar.

Only GozNym and Dridex currently use redirection attacks

Redirection attacks have been made famous by banking trojans such as Dyre, and Dridex to a lesser degree.

They are incredibly hard to spot and are the staple of cyber-crime groups because they are expensive to run, both financially and in terms of human resources.

GozNym operators need both the server infrastructure to host all these banking portal replicas, and the developers to continually update the fake sites to look like the original ones.

"In most cases, GozNym redirects the bank’s home page, but that’s not the only page the malware can redirect," IBM's Limor Kessem explains. "There are cases where other pages are redirected to GozNym’s replica to force the victim to enter their login credentials."

After activity from the Dyre botnet started to quiet down, GozNym and Dridex are the only banking trojans employing redirection attacks.

According to IBM's statistics, GozNym is ranked as the fifth most active banking trojan botnet for the first months of 2016. Dridex is ranked second.

Most active banking trojan botnets in 2016
Most active banking trojan botnets in 2016

Photo Gallery (2 Images)

GozNym trojan adds new tricks
Most active banking trojan botnets in 2016
Open gallery