A new banking trojan named GozNym is actively hitting U.S. and Canadian banks and has already taken about $4 million from two dozen North American banks.
IBM's X-Force Research team reported that 24 banks in the two countries, 22 in the U.S., have so far lost about $4 million to attacks using GozNym since the malware was discovered earlier this month. Who conducted the attacks is not known.
Limor Kessem, executive security advisor for IBM, wrote in a blog that GozNym was created by combining some of the source code from the older Nymaim and Gozi IFSB banking malware to create an even more dangerous piece of software. “From the Nymaim malware, it leverages the dropper's stealth and persistence; the Gozi ISFB parts add the banking Trojan's capabilities to facilitate fraud via infected Internet browsers," said Kessem. "The end result is a new banking Trojan in the wild.”
Attacks are so far pretty evenly split with business banks absorbing 28 percent of the attacks; credit unions, 27 percent; e-commerce 22 percent; retail banking, 17 percent; and the remaining six percent were in other types of institutions. GozNym uses its native Nymaim ability to infiltrate its targets through an exploit kit which drops a payload into the system that uses two executables for the infection routine, IBM said.
Giovanni Vigna, co-founder and chief technology officer of Lastline, told in an email Thursday that malware like GozNym is to be expected now. “While it is interesting to see two strands of malware becoming closely intertwined, it is not surprising. As for any software that has to be flexible and reliable, malware has been modularized for a while, so that functionality can be reused or loaded as-needed.
One industry executive said it was disappointing that GozNym has been successful because, while this malware is new, the type of attack has been seen before and the banking industry was told to beware.
“When you see an attack like GozNym picking up pieces of past malware to swipe another $4 million, it stings if you're a security professional. You know you told both IT and the business how they needed to react to attacks of this type when the original threats emerged. This just shows you that they didn't really listen then,” Jonathan Sander, vice president at Lieberman Software, told in an email Thursday. Sanders described this lack of concern as similar to that of a home that constantly broken into through an open window because the owner refuses to remember to lock it.
