A gang of hackers has combined two dangerous malware programs in order to create a new online banking Trojan. The newly-found malware has already stolen millions of dollars from customers of 24 banks in Canada and USA.
The researchers from IBM X-Force called the malicious threat GozNym because it combines the Nymaim malware and the Gozi banking Trojan. This is a computer Trojan which targets 22 websites that belong to banks, credit unions and e-commerce platforms based in USA, and other two, belonging to financial institutions from Canada.
According to the researchers from IBM, the business banking services turn out to be the main target of the GozNym’s developers.
The experts call Nymaim a dropper. Its purpose is to download and run other malware programs on infected computers. Usually, Nymaim is distributed through Web-based exploits launched from corrupted websites.
Nymaim uses detection evasion techniques like encryption, anti-VM and anti-debugging routines, and control flow obfuscation. The threat has been used to install ransomware on the machines, and since last November, the hackers gang that controls Nymaim has switched to banking fraud.
The dropper started loading a DLL which is part of the Gozi ISFB malware and which is capable of injecting malicious code into Web browsing sessions. This is the most common technique for performing online banking frauds.
The integration between Nymaim and Gozi became complete in April, when a new version was discovered. It combined code from both threats in a brand new Trojan named GozNym.
“This malware is as stealthy and persistent as the Nymaim loader while possessing the Gozi ISFB Trojan’s ability to manipulate Web sessions, resulting in advanced online banking fraud attacks,” the researchers from IBM X-Force stated.