Why GozNym Is Worse for Banks than the Average Malware

Register now

With millions of malware strains and banking Trojans seemingly hitting banks' systems every day, it's easy to get malware announcement fatigue.

But the news last week that a malicious software called GozNym successfully stole $4 million from U.S. and Canadian banks should make institutions sit up and take notice. Here's why:

It's effective and has already inflicted significant damage
The malware is targeting 22 large banks and credit unions in the U.S. and two in Canada. Large banks are targeted in the hope that randomly selected victims will have accounts at name brands. Credit unions are roped in because the Trojans are going after the digital banking platforms that many credit unions buy. Small banks also have reason for concern because cybercriminals will still steal their customers' online banking usernames and passwords and make some use of them.   It has powerful backers

The malware appears to have been unleashed by organized crime.

"There might be a million malware strains, but there are only a few families that are active and dangerous and those principal malware families are owned by organized crime, so this could cause very heavy losses in online banking fraud," Limor Kessem, executive security adviser at IBM, said in an interview. IBM was the first company to identify and report on the cybercrime. 

It's appealing to fraudsters because it's inexpensive and hard to detect
The software can be rented for a cheap $500 a month and it supports newer browsers like Microsoft's Windows 10 browser, Edge.

"Many cybercriminals are looking for Trojans that support Edge," said Andrew Komarov, chief intelligence officer at InfoArmor, a provider of threat intelligence consulting services.

Another key differentiator of GozNym, in his view, is the malware's advanced system for injecting code into websites.

And the malware is stealthy, according to Giovanni Vigna, co-founder and CTO of the security software company Lastline. "It really tries not being easily analyzable by existing tools," he said. "Once you identify a technique that deflects mechanisms for detection, then you have a free rein for a while until people catch up."

How It Works

All modern online banking malware (Zeus, SpyEye, Citadel, Carberp, et al.) is based on the same basic set of steps: First, upload malware onto a computer — through phishing (tricking someone into opening a malicious email attachment), getting the user to click on a malicious website link, or using a method common to GozNym attacks called drive-by download. In a drive-by download, cybercriminals infect an ad on a high-traffic website like BBC.com or CNN.com. The software can be downloaded to a user's computer just by visiting the site through the use of an exploit kit.

Fraudsters then wait until the user does some online banking, capturing their name, password and other credentials needed to carry out online banking and wire transfer fraud.

But GozNym is different from the others in that it can act as ransomware — malware that encrypts the files in a computer, then demands a ransom from the user to unlock them — as well as an online banking Trojan. The "Goz" part of the name is from Gozi, the widely used online banking Trojan, while the "Nym" comes from the ransomware Nymaim.

"Depending on the bad actor's choice, it can be used as ransomware to lock your computer or simply to upload Gozi for online banking theft," Komarov said.

GozNym also includes so-called dropper malware that can be used to deliver additional malware on the machine. This is useful because sometimes cybercriminals don't know if a computer is used for online banking. So they'll infect it with a small piece of malware, watch to see if there's banking activity, and if there is, upload the larger online banking Trojan. This helps avoid detection from any antivirus or antimalware software a bank might be using to troll for signs of Gozi.

GozNym makes nimble use of Web injection, the insertion of code into Web browsers to display messages in the user's browser that ask for their mother's maiden name, a secret challenge question or a password reset. This gives cybercriminals the additional information they need to complete a transaction, even if a bank's fraud detection software red-flags the use of stolen login credentials on a computer not associated with an account.

"The Trojan is injecting code into the screen. That means you as a user would see it as a message from your bank," Kessem said. "You would totally believe your bank is asking for that information. You suddenly get a hold screen with a timer that asks you to please enter this type of information, whatever the Trojan thinks it needs to complete the transaction, and you would think you'd only have one minute to enter information. The user gets convinced; they believe that's a legitimate message."

Some Web server protection software (such as IBM's Trusteer) will notify the bank that the Web session is infected, and that malware is trying to intercept communications from the bank.

Defense Strategy

Web server protection software is one defense against GozNym. Antimalware software is another. Another type of software, provided by Lastline, FireEye and Checkpoint, analyzes suspicious software and files in a protected environment called a sandbox, looking for well-hidden signs of malware.

Some banks give their corporate clients software that protects the computers they use for online banking from cybercriminal activity, sometimes using whitelists and blacklists to steer them away from malicious websites. Others require a hardware token that provides one-time passwords for extra authentication.

Banks can also use software that monitors online banking users' activity for signs of foul play. ThetaRay, BAE's NetReveal and IBM's Watson can ingest many kinds of data — network traffic, mobile app traffic, core banking transactions — and look for suspicious behavior that could indicate cybersecurity breaches or fraud, using pattern definition, pattern matching and anomaly detection. Such software might recognize the user is in a different time zone than normal, or is using more languages or plug-ins than normal, for instance.

Fraud detection software can watch transactions closely, looking at where money is going and any unusual behavior patterns.

"The cat-and-mouse game will never stop," Vigna said. "There's no way we could have the final solution to this. But we can get better and we can use fine-grain analysis that allows us to use their attempts to go undetected as a signal to detect them."

Editor at Large Penny Crosman welcomes feedback on her posts at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.