After causing damage in April 2016 and being discovered by IBM's X-Force threat research unit, the GozNym banking Trojan is making waves again. This time, the threat is targeting customers of German banks and their subsidiaries, using coordinated spam flood attacks.
GozNym is an amalgamation of code from the Gozi and Nymaim threats. Nymaim is a Trojan that was formerly used to deploy ransomware on victims' computers. Gozi is the name of an older banking Trojan, whose source code was leaked back in 2014.
GozNym Switches Tactics to Use Redirection Attacks
The first manifestations of the GozNym threat used a web injection approach, where the content shown in the browser was replaced with "injected" fake content that can capture user input, including usernames, passwords, and other sensitive information. The new version deployed in Germany is using redirection attacks in addition to the injections. According to X-Force,the bad actors operating the malware have made a "significant investment" to break into new language territory.
Redirection attacks work by redirecting the user to a banking portal that is made to look like the real thing but is really a fake site, run and hosted by the cybercriminals behind the malware. Another notable instance of a redirect attack banking Trojan is Dyre, but that was only deployed in English-speaking countries, as well as in Spain. Dridex, another infamous banking Trojan, also used redirection for a while but that was not its chief method of stealing data.
GozNym Pushes in Germany, Using a Massive Spam Campaign
The method of deployment used for the newest GozNym attack on German bank customers is spam. From a quantitative point of view, GozNym spam has increased a mind-boggling 3500%, compared to its volume a month back in July. August alone saw the people behind the Trojan send five times as many spam emails as they did over the previous four-month period. The great upheaval prompted security researchers to state that the threat is evolving and that GozNym may soon target other countries as well.
X-Force concludes its report on the new GozNym attack with a bit of advice on how to prevent infection at the endpoint, including updating operating systems as soon as possible and using an adaptive anti-malware solution for that extra layer of protection.