IBM X-Force reports that a new and upgraded variant of the GozNym banking Trojan is attacking 13 Germany-based financial institutions.
When it first came to the malware stage in April this year, GozNym was focused on targeting American and Canadian users. Then, it was relying on the web injection attack method in which the Trojan hijacks the users` browsers and when they access a banking portal they are shown a fake content.
This web injection tactic was first used by the Gozi banking Trojan, whose source code leaked online in 2014. Now, the majority of banking Trojan have adopted this tactic, including GozNym. GozNym, in fact, is a combination between the Nymaim malware and the Gozi ISFB.
Two weeks after GozNym`s first appearance, its author decided to try out another attack method – the so-called “redirection attack”. Whit this technique users are redirected to banking portal, which is fraudulent and hosted on the attackers` servers.
The “redirection attack” scheme was only used before by the Dyre banking Trojan. At some point, the Dridex banking Trojan was also relying on it, but it was never its main mode of operation.
The first GozNym variants deploying redirection attacks were detected this April in Poland. Soon after, in June, they started massive attack campaigns against American banks.
Currently, researchers say, GozNym`s authors are relying on huge spam waves to deliver their redirections using malware in Germany.
GozNym distribution has risen by 3,550% compared to July, report IBM. For August alone, the spam messages GozNym has send are five times more that all the attacks from the last four months put together.
“Looking at GozNym’s timeline, it is evident that the gang operating the malware has the resources and savvy to deploy sophisticated cybercrime tactics against banks.” – says Limor Kessem – “The project is very active and evolving rapidly, making it likely to spread to additional countries over time.”