The cybercriminals behind the recently discovered GozNym banking Trojan have started targeting users in European countries.
GozNym, a malware that combines code from the Nymaim ransomware dropper and the Gozi ISFB banking Trojan, surfaced in April, when it was observed targeting 24 financial institutions in North America.
According to IBM X-Force researchers, malicious actors have begun using the malware in attacks aimed at Europe. The threat has targeted corporate, investment banking and consumer accounts at 17 banks in Poland and one major bank in Portugal. In addition to banks, the Trojan also targets the customers of Polish webmail service providers.
Once it infects a device, the malware monitors the victim’s online activities and compares the websites they visit to a list of 230 URLs stored in its configuration file. When one of these sites is accessed, a redirection attack is initiated and the user is taken to a phishing page that mimics the targeted service.
Such redirection attacks are common for financial malware, including well-known threats such as Dridex and Dyre. However, GozNym authors have come up with a two-phase redirection scheme that should make it more difficult for researchers to analyze the campaign.
In the first phase, when users visit one of the targeted websites, they are immediately redirected to the corresponding phishing page. This page, which allows attackers to collect credentials and two factor authentication data, appears to be hosted on the bank’s legitimate domain and even an SSL certificate indicator is displayed in the browser’s address bar. This is done by sending empty requests to the bank’s legitimate website in an effort to keep the SSL connection alive.
While users are taken to the malicious page in the first phase of the attack, the content of this page is actually under a blank overlay mask that covers the entire screen. By covering up the malicious content, cybercriminals make it look like an empty page when someone attempts to examine it. The redirection, the phishing page and the overlay screen are fetched from a command and control (C&C) server hosted in Moscow, Russia.
In the second phase of the attack, the overlay screen is removed and the phishing page is displayed to the victim. This is done via a JavaScript file that manipulates the Document Object Model (DOM).
After the initial login data is provided, a delay screen is injected and the victim is instructed to wait. In the meantime, the attackers query the C&C server for webinjections designed to trick them into handing over additional information.
The second phase relies on a different C&C server, which makes the attack more difficult to analyze.
“Projects of this technical level are the domain of a few major cybercrime gangs active in the world. Convincing redirection attacks are a resource-intensive endeavor that require their operators to invest heavily in creating website replicas of individual targeted banks. The Nymaim gang stands out as one of very few groups with this capability,” said Limor Kessem, executive security advisor at IBM. “Currently, the only other known malware actively using redirection attacks is the Dridex gang. Rumors say a Neverquest faction also employs them; however, the latter has not yet been detected in the wild.”
