Be Alert! GozNym Trojan is Back Once Again to Target Banks and Financial Services!

Gozi ISFB and Nymaim are two old malwares which had been used by cyber criminals to target banks few years ago. Now, GozNym named Trojan has been detected by security researchers of a Spanish Security Firm “Buguroo” which is a mixture of both above mentioned malwares. In the early months of this year GozNym was first detected by many security researchers but this time it comes with more advanced and undetectable functionalities. The source codes of both Gozi and Mymaim Trojans were released by its authors, in underground black markets. Now hackers are modifying that source codes to develop more advance Trojans which can bypass antivirus tools very easily.

According to the security researchers, authors of this Trojan are spreading it by using advanced social engineering techniques. Poland, Japan, Canada, Australia, Spain and Italy are the most affected countries. Hackers are also using their skills to spread this Trojan in Western Europe and United States. Researchers said, Authors of GozNym are exploiting vulnerabilities of WordPress Plugins to spread this Trojan in a wild. This type of cases have been seen by security researchers in Spain. Hackers are also using malicious websites to spread this Trojan, which are providing “URL Shortening” services.

CitiDirect BE, PayPal, BNP Paribas, Bank of Tokyo and ING Bank are the brands which have been affected by this Trojan. Japan and Poland have highest number of infected users. To target these countries, hackers are using servers which are located in Canada, Australia and Italy. Code of this Trojan is very complicated which is clearly explaining that its authors are very smart. They are using “Web Injection” attacks to inject the websites.

How it Works?

Hackers are spreading this Trojan by injecting famous websites after exploiting their vulnerabilities. Hackers are using Web Injection Attacks. These types of attacks are difficult to detect. Many famous websites of Japan and Poland are using vulnerable WordPress plugins. By injecting these websites, hackers are infecting large number of users in very less time. After infecting user’s web browser, hackers are leaving this Trojan to trace all the activities of user.

When victim visit any bank website or financial website to do payments, this Trojan sends the browser information to some servers which have been control by its authors. After reading that information, hackers send the information to victim which is required to do transfers and make payments. Hackers are sending fake webpages to victims, which looks like legitimate banking websites. Victims are seeing a “Pending Deposit Request” on these fake web pages. This request is asking for security code to complete the transaction. Hackers are controlling this through Command and Control Servers.

This is a smart Trojan, which is also detecting user behavior. In simple words, Trojan is tracing that how much time victim is taking to go from one input field to another. This type of information is helpful for hackers to guess user’s behavior and they can get enough time to bypass security systems.