According to IBM X-Force data, several major cybercrime groups that operate banking Trojans have slowly relinquished center stage in 2017, and for no apparent external reason. These groups include: Shifu, Tinba, Neverquest, Qadars, and GozNym – all of which have gradually faded away, or are nearing hiatus in 2017.
Where were these malware codes before, and where are they today? This blog series reviews their history and tracks the current status of each Trojan. In this blog post, we focus on GozNym.
The GozNym Trojan was an interesting case when it emerged in April 2016. Upon its detection, IBM X-Force research analyzed it and reported that it was actually not one, but two malware codes meshed into one. A two headed beast made of a powerful infector in the shape of the Nymaim loader, and a proven bank fraud module that came from Gozi ISFB.
GozNym's operators did not waste any time. They took this new code and started attacking banks in the US. Within a matter of days, they had already managed to steal millions of dollars, and that was only the beginning.
Within the span of one week, GozNym started attacking in Poland, a different language zone and different banking system than the one used in the U.S. It meant that this was a group, and to top it off, the malware featured redirection attacks – a sophisticated way to take victims to a fake site, away from the bank's security and detection, and take over their accounts.
There was no doubt that this malware's operators knew what they were doing, and have been preparing for a while. The next step was bringing the redirection scheme to US business banking in June 2016. By August 2016, GozNym was equipped with redirection attacks that targeted German banks, intensifying its attacks in Europe in peaks of thousands of percentage points comparing the four months prior.
With its forceful launch and rapid spread, GozNym got the attention of banks, security teams, and law enforcement alike. It was at its peak right when a new contender showed up in the cybercrime arena – the TrickBot Trojan – starting to chomp chunks of GozNym's turf, redirection attacks and all.
GozNym's Big Road Bump
By summer of 2016, it was clear that GozNym was a new force in the cybercrime arena. In November 2016, X-Force research was still observing campaigns in the US and in Germany. Possibly operated by two actors/groups in tandem, in Germany the malware continued to focus on bank accounts, whereas in the US, GozNym had diversified its target list for the Holiday Season. It added the top most popular electronics retailers, ecommerce sites, eWallet providers, telecommunications vendors, and payment card providers to the target list, and launched a new infection campaign.
And while all this was happening, something else was underway behind the scenes – the upcoming takedown of the largest and longest standing bulletproof cybercrime operations that just happened to also host GozNym attacks: the Avalanche network.
The Europol released notice about the takedown on Dec.1, 2016. And on Dec.12, 2016, the American DoJ released a notice on the arrest of a Bulgarian national charged with operating GozNym attacks against US residents.
The six-count indictment was being prepared for months previous, and although it only came up with a sole defendant, unsealing the indictment provided a rare glimpse into the sort of money banking Trojan operators steal from organizations they target. The amounts reported by the DoJ ranged $118,000 to $737,000 from each victim, and GozNym was just getting started. Other, longer standing groups like Dridex, have already been named as the culprits in losses of millions of dollars at a time.
GozNym Comes Tumbling Down
The investigation and arrest of one of its members affected the GozNym gang enough to have its operation halted.
Per X-Force data, as of that last campaign, the group did not launch any other major campaigns, seeing only sporadic and coincidental infections ever since. A graph of attempted GozNym infections shows that numbers never crossed the global total of a few dozens, which could have come from emails that were opened after the gang stopped spamming the Trojan out, or users getting infected on additional devices.
IBM X-Force continued to detect attempted web-injection activity during the past 12 months. Finding a pattern for that detection means that endpoints that were infected in the past still have the malware try to inject when users go online, but the actual malicious activity does not take place.
The pattern has nonetheless seen a sharp decline in September 2017, likely due to more endpoints being cleaned by antivirus removals or quarantine of the malware, which is considered rather old by now.
Life After Avalanche
GozNym, in its hybrid form, has been idle in attacks in the wild during 2017, but we can't forget that two-headed beasts can still live with only one head attached…
The code on which the larger part of GozNym was based, Nymaim, lives on. The malware has remained somewhat active on two fronts: ransomware distribution – which was its focus before the GozNym endeavor, mostly in connection with Cerber and Kovter. And providing an entry point for banking Trojans like Dridex in Europe.
According to some reports, Nymaim was part of the infection chain delivering banking malware in Poland in sporadic activity detected between January and July 2017. In those cases, Nymaim was the first stage infector launched from malware-laden email attachments.
These went on until eventually researchers exposed the new home Nymaim adopted after the Avalanche takedown – a network of domains used to deliver Nymaim from document attachments as a first stage infector for the Zeus Chtonic banking Trojan. Although Nymaim was still alive through those domains in August 2017, it was the last time it appeared since.
Will Bygones Be Bygones?
Is GozNym gone for good? That's a valid question when considering the effort that was put into building the malware and the investment of operating in several geographies within a very short amount of time, against enterprise targets. All these feats did not simply spring from a team of amateurs, but rather from those already connected to cybercrime actors in Eastern Europe.
Much as can happen with any code, we may see re-use and some forms of come-backs in the future, but my hope is that law enforcement has indeed been the deterring force that will keep this hybrid off the grid for a long time.
 In the US, an indictment is an accusation. A defendant is presumed innocent unless and until proven guilty.