GozNym, the banking Trojan that was detected in April 2016, has been just caught once again in a new active campaign. This time victims of the banker are German users. Researchers at IBM X-Force say that the Trojan has been victimizing customers of 14 German banks. The research also indicates that victims are dealing with a new, improved version of GozNym.
How Are August 2016 GozNym Attacks Carried Out?
The attack scenario is based on the so-called web injection attacks. This is the type of attack where the Trojan gains control over the user’s browser and displays fake content whenever he accesses a banking portal.
Researchers have concluded that this is the primary method adopted by coders and distributors of banking Trojans. Interestingly, the method originates from an older banker, Gozi. Its code was leaked in 2014, and perhaps that’s how GozNym was born – it’s a hybrid built on code taken from Gozi and another Trojan, Nymaim.
What’s new with GozNym? There’s new redirection schemes in addition to the web injection-based attacks for all the targeted brands, demonstrating GozNym’s significant investment in German-language attack capabilities, researchers say.
The GozNym version that employed the redirection technique was first spotted in Poland in April and then it was deployed against banks in the US in June.
Recent telemetry data shows that the GozNym operators are now distributing new GozNym versions. The attacks are based on redirections and aggressive spam campaigns.
According to IBM’s report, the GozNym-related spam has jumped compared to July. August has seen 5 times more spam spreading the Trojan in comparison to all attacks of this Trojan.
Looking at GozNym’s timeline, it is evident that the gang operating the malware has the resources and savvy to deploy sophisticated cybercrime tactics against banks. The project is very active and evolving rapidly, making it likely to spread to additional countries over time.