The GozNym Trojan, which is a Frankenstein-like hybrid of two families of malware, has been used to frequently deliver malware through various spear phishing campaigns. But it turns out that this baddie has split personality disorder, with four different variants out in the wild to wreak havoc.
By way of background, Gozi was a widely distributed banking trojan with a DGA and also contained the ability to install a Master Boot Record (MBR) rootkit. Nymaim emerged in 2013 as malware which was used to deliver ransomware. There have been multiple instances in which the source code of the Gozi trojan has been leaked, which allowed the GozNym authors to create a significantly more robust piece of malware which was now capable of utilizing strengthened persistence methods and ultimately becoming a powerful banking trojan.
Cisco Talos engineers reverse-engineered the malware, which allowed them to gain visibility into the size and scope of this threat and the number of infected systems beaconing to C2 servers under adversarial control. After analyzing the data, Talos discovered 23,062 infected machines within the first 24 hours. Talos also identified that the four different variants of GozNym that exhibited slightly different characteristics with respect to the Domain Generation Algorithms (DGAs) used to generate the list of C2 servers to connect to.
“It is possible that they were all created and deployed by the same threat actor or group as there are several overlaps in regards to the use of the same C2 infrastructure, where the binaries were being distributed from, and the phishing campaigns associated with the distribution of the samples,” said Ben Baker, Edmund Brumaghin and Jonah Samost, in a blog.
Talos identified several spear phishing campaigns which were used to distribute the GozNym malware. The themes are similar to others commonly seen in email-based threats whereby messages will be directed to the recipient to open an attached "tax invoice" or "payment document.” The adversary took the time to profile each of the organizations targeted in these campaigns. In many cases that Talos analyzed, a single email was sent to each organization with the sole recipient being an employee in the accounting or finance department of the targeted organization. Additionally, the contents of each message were tailored to the organization and featured attachment names also appropriately tailored.
“The characteristics associated with the spam campaigns used to distribute GozNym to potential victims, a good deal of effort was spent determining who to target within organizations and spear phishing was used in an effort to evade detection and avoid alerting administrators,” the researchers said.
In one such campaign the attached MS Word documents containing the malicious VBA macros were made to appear as legitimate payment invoices from Bank of America. The actor also tried to further convince the user to enable macros within Microsoft word by providing a notification prompt.
In another campaign, the attachment was delivered as a tax invoice, and images included references to Intuit QuickBooks. The same notification was used again to try and coerce the victim to enable macros.
The research also showed that GozNym puts a lot of effort into being difficult to detect in network traffic.
“Every field in the C2 communications is either randomly generated or encrypted using the partially-random key,” the analysts said. “The URL arguments can be randomly generated with a random number of arguments or can be hardcoded in the malware configuration data. The domains are randomly generated and the User-Agent strings are generated by Windows API and therefore not static.”
Talos’ sinkhole server received 23,062 beacons from 1854 unique IPs within the first 24 hours of sinkholing GozNym. Each infected machine would only send one beacon before realizing that it wasn’t getting a response, so that roughly corresponds to one beacon per victim. Talos said that it was actively working to sinkhole all of the botnets that it finds associated with the GozNym campaign.
“Spear phishing attacks continue to be used by threat actors attempting to infect organizations,” the researchers said. “This is likely due to the continued success of these types of attacks. GozNym highlights the dangers of phishing campaigns and the importance of ensuring that organizations are protected from these types of threats. As shown by our analysis, GozNym is a constantly evolving threat that will likely continue to morph moving forward as attackers seek to add additional features and improve upon the ones currently present within the trojan.”
Photo © doublePHOTO studio