Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Franken-Trojan Steals $4M from North American Banks

Researchers at IBM have discovered a new piece of malware that has stolen $4 million from more than 24 American and Canadian banks in just a few days.

Numerous credit unions and popular e-commerce platforms were also said to have been targeted.

IBM said that the hackers combined code from two malware types, known as Nymaim and Gozi, to create the unholy hybrid dubbed GozNym—a franken-trojan, if you will.

“Cyber criminals have specialties just like their white-hat counterparts. By taking bits of code from different pieces of malware, they are able to create their malicious payload quicker than writing everything from scratch,” said Travis Smith, senior security research engineer at Tripwire, via email. “This will reduce their time to exploit and increase potential profits from criminal activity.”

The Trojan is both persistent and powerful. IBM said that from the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.

“The end result is a new banking Trojan in the wild,” IBM said in the analysis. “Internally, GozNym works like a double-headed beast, where the two codes rely on one another to carry out the malware’s internal operations.”

Gozi’s underground purveyors have made a bit of a business out of selling partial pieces, according to Andrew Komarov, chief intelligence officer at InfoArmor.

“They have changed their model and sell some specific modules to different malware projects,” he told us. “You may see posts about ‘Gozi for rent’ for $400 per week, supporting web-injects for Chrome, IE, Firefox, and have modules similar to well-known online banking Trojans like Zeus and SpyEye (VNC, key logger—used for successful online-banking theft).”

Because the source code for both Gozi and Nymaim has been leaked online, security professionals should have been prepared, some argue.

“One would think that once a bad guy has crawled in an unlocked window once everyone would remember to lock it up from then on,” said Jonathan Sander, vice president at Lieberman Software. “When you walk by and see the open window and the missing valuables, all you can do is sigh, close it up again, and hope folks may heed your warning this time around.”

Photo © wk1300mike

What’s Hot on Infosecurity Magazine?