This is a security alert for all TruShield clients, the financial services industry, and the community at large. We have learned of a new Trojan called GozNym. GozNym is targeting banks and financial institutions.
As anticipated, financial institutions remain a popular target of opportunity for cybercriminals. GozNym is one of the latest in a steady stream of threats leveled at business banks, credit unions, ecommerce, and more. One unique quality about GozNym, as indicated by the name of the Trojan, is that it incorporates elements of two other Trojans targeting the same industry. Additionally, the geographical scope of targets currently is largely within the U.S., with a few outliers in Canada. To date there have been a total of at least 24 entities targeted in the financial services industry and an estimated $4 million in losses in early April.
Mixing Old Tricks
The two malware strains combined to produce GozNym are known as Gozi ISFB and Nymaim. Researchers at IBM X-Force observed that the first stage employs the tactics of Nymaim, by focusing on a stealthy and persistent approach with less emphasis on the previously used ransomware lock screen method. These tactics were quite successful in the past, and in late 2013 it was reported that over 2.5 million infections by this Trojan were seen. In the second stage of execution, GozNym uses Gozi ISFB functionality against online banking, as seen near the close of 2015. Determination that these two were hybridized into GozNym is not only possible by noting similar tactics, but also examination of the source code. One specific example for comparative analysis is the old Gozi ISFB web injection DLL vs GozNym’s new buffer. The newer buffer is definitely altered in terms of size, but performs essentially the same function with relation to web sessions.
State of Industry Security
GozNym represents just one small example of the increasing complexity of many threats poised to strike at the financial services industry. It’s important to note that even transitions to newer operating systems like Windows 10 did not impede the older families from altering to match. Financial institutions need to take immediate action to address any security gaps that would allow GozNym to wreak havoc, since this is a preventable threat employing only slightly altered methods. Even organizations prepared for GozNym should consider additional options and redundancies. As 2016 continues it would not be surprising to see a wave of more complex malware build on these tactics against the financial services industry.
Indicators of Compromise
Mitigation and Prevention
- Use updated antimalware and antivirus, especially with real-time protection.
- Isolate infected systems and consider a full system wipe.
- Keep systems and applications patched with current updates.
- Monitor processes for alteration or injection attempts.
- Use application control software with a base deny policy.
- Compare files with known IOCs.
- Monitor systems for registry or file changes.
- Continuously monitor network traffic.