IBM X-Force Research experts have uncovered a new type of banking Trojan. The malware is reported to be a combination between two previously detected banking Trojans – Nymaim and Gozi. Researchers have established that the Trojan contains features of both Trojans and uses obfuscated payload to evade malware detection. Anyone who believes that they have been affected by this banking trojan should immediately disconnect their system and read the article below to remove this threat permanently, after which change all of their financial credentials.
|Short Description||The threat may infect systems related to banking activities and steal financial information or funds from compromised accounts.|
|Symptoms||Started by a malicious executable. Also reported to download other malware such as ransomware on the infected computer.|
|Distribution Method||Via malicious executables.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by malware|
|User Experience||Join our forum to discuss GozNym.|
GozNym Banking Trojan – Distribution
Even though the Trojan is extremely effective, its spread may only be limited to targeted institutions, because banks and other e-payment vendors have strengthened their core security, pushing cyber-criminals to focus on other e-payment and online financing institutions. In fact, this particular Trojan has reported attacking institutions primarily located in North America, Europe, and South America.
Cyber Criminals Have New Targets – Online Payment Systems
The methods of the Trojan spreading may vary. The most widely used method to spread the Trojan is via an Exploit kit. In fact, malware researchers have reported it to infect over million devices via an executable, containing the infamous BlackHole exploit kit, first appeared in 2012.
GozNym Banking Trojan In Detail
Researchers at IBM X-Force report that to successfully infect user PCs, this Trojan uses the dual code, part of which is Gozi IFSB’s code and the other part – Nymaim’s Loader. This is particularly interesting because it contains different functions from both the malware codes. It is convenient because every time the Gozi IFSB portion of the malware requests a function or a feature from Nymaim Trojan.
The way this hybrid works is via intermediary “call” type of codes. One of them reported by IBM researchers is used every time GozNym IFSB wants to use a feature of Nymaim:
The difference between the old Gozi IFSB’s is that instead of a .DLL file which is reported to have been 150KB, the new GozNym hybrid directly injects code into the browser which contains its buffer. This code is around 50 KB in size. But not only this, but the buffer also contains portions of Nymaim’s code.
Conclusion and Removal of GozNym
The bottom line for this Trojan is that it is extremely powerful and effective and can steal the financial data of an infected device without the users noticing it. The removal of GozNym is a very tricky process, because, in order to remove something, it has to be detected first. For both of those to happen, it is required to have an advanced anti-malware software which will stop the malware in the first place. Not only this, but the removal of GozNym requires specific actions, for different systems.
For Windows systems, we recommend following the below-mentioned instructions.