Connect with us

Hi, what are you looking for?


Malware & Threats

GozNym Trojan Targets European Users

The cybercriminals behind the recently discovered GozNym banking Trojan have started targeting users in European countries.

The cybercriminals behind the recently discovered GozNym banking Trojan have started targeting users in European countries.

GozNym, a malware that combines code from the Nymaim ransomware dropper and the Gozi ISFB banking Trojan, surfaced in April, when it was observed targeting 24 financial institutions in North America.

According to IBM X-Force researchers, malicious actors have begun using the malware in attacks aimed at Europe. The threat has targeted corporate, investment banking and consumer accounts at 17 banks in Poland and one major bank in Portugal. In addition to banks, the Trojan also targets the customers of Polish webmail service providers.

Once it infects a device, the malware monitors the victim’s online activities and compares the websites they visit to a list of 230 URLs stored in its configuration file. When one of these sites is accessed, a redirection attack is initiated and the user is taken to a phishing page that mimics the targeted service.

Such redirection attacks are common for financial malware, including well-known threats such as Dridex and Dyre. However, GozNym authors have come up with a two-phase redirection scheme that should make it more difficult for researchers to analyze the campaign.

In the first phase, when users visit one of the targeted websites, they are immediately redirected to the corresponding phishing page. This page, which allows attackers to collect credentials and two factor authentication data, appears to be hosted on the bank’s legitimate domain and even an SSL certificate indicator is displayed in the browser’s address bar. This is done by sending empty requests to the bank’s legitimate website in an effort to keep the SSL connection alive.

While users are taken to the malicious page in the first phase of the attack, the content of this page is actually under a blank overlay mask that covers the entire screen. By covering up the malicious content, cybercriminals make it look like an empty page when someone attempts to examine it. The redirection, the phishing page and the overlay screen are fetched from a command and control (C&C) server hosted in Moscow, Russia.

Advertisement. Scroll to continue reading.

In the second phase of the attack, the overlay screen is removed and the phishing page is displayed to the victim. This is done via a JavaScript file that manipulates the Document Object Model (DOM).

After the initial login data is provided, a delay screen is injected and the victim is instructed to wait. In the meantime, the attackers query the C&C server for webinjections designed to trick them into handing over additional information.

The second phase relies on a different C&C server, which makes the attack more difficult to analyze.

“Projects of this technical level are the domain of a few major cybercrime gangs active in the world. Convincing redirection attacks are a resource-intensive endeavor that require their operators to invest heavily in creating website replicas of individual targeted banks. The Nymaim gang stands out as one of very few groups with this capability,” said Limor Kessem, executive security advisor at IBM. “Currently, the only other known malware actively using redirection attacks is the Dridex gang. Rumors say a Neverquest faction also employs them; however, the latter has not yet been detected in the wild.”

Related: New GM Bot Version Released After Source Leak

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...