Two-headed monster in the world of viruses: GozNym

Employees of IBM X-Force Research discovered a new Trojan that is a hybrid of the rather well-known malware Nymaim and Gozi ISFB. It turned out that the Nymaim developers combined the source code of this virus with a part of the Gozi ISFB code. The result was a hybrid that was actively used in attacks on a network of 24 banks in the United States and Canada. With this, malware managed to steal millions of dollars. Hybrid viral product called GozNym.



According to information security experts, this hybrid took the best of the two viruses mentioned above: from Nyamaim the malware inherited the ability to hide its presence from antivirus programs, from Gozi - the ability to penetrate users' PCs. GozNym unofficially called the "two-headed monster."



Targeting: financial institutions in North America

')

The developers of the new virus have sent it to organizations in North America - to the United States and Canada. Currently, 22 banks affected by the virus, credit institutions and popular e-commerce platforms are known. Also on the list are two financial companies from Canada.







Source code - where is it from?



How was the hybrid created? It has already been mentioned above that this virus consists of parts of two other malware. The source code of the first, Gozi ISFB, has repeatedly laid out on the Net. For the first time it happened in 2010. The second time was in 2015, when the source code of a modified version of this software was posted on the Internet.



As for Nymaim, the only possible source of source code is its developers. Most likely, it was the Nymaim team that took part of the Gozi ISFB code, combined it with its product, getting “Frankenstein in the world of viruses”.



From Nymaim to GozNym



Nymaim operates in two stages. Initially, this malware penetrates computers using exploit kits, and after hitting the PC it performs the second stage - launching two executable files that complete the infection of the victim's machine.



The original virus, Nymaim, uses encryption, anti-VM, anti-debugging, and obfuscation of the sequence of execution of the program code, i.e. obfuscating the flow of control. Until now, this virus has been used mainly as a dropper . Droppers (Eng. Dropper) - a family of malicious programs (usually a Trojan) intended for unauthorized and hidden from the user installation on the computer of the victim of other malicious programs contained in the body of the dropper or downloaded over the network. This type of malware usually without any messages (with false error messages in the archive, an incorrect version of the operating system, etc.) downloads from the network and saves files on the victim’s disk and then executes them.



Nymaim, as far as is known, has been created by a team of developers who have managed this malware for several years. At the moment, traces of dropper presence are found on PCs of users in Europe, North America, and South America.



Of course, not all intruder operations performed using Nymaim are documented. However, there are data on 2.5 million infections using the Blackhole Exploit Kit (BHEK) only at the end of 2013.







IBM researchers point out that Nymaim has begun using the Gozi ISFB module, the DLL responsible for web injection, since 2015. The final version of the hybrid, which is a full-fledged integration of two malicious programs, was discovered only in April 2016. In its hybrid incarnation, Nymaim is executed first, and then the Gozi ISFB executable is launched.



Some technical information



Before merging into a single whole, the Nymaim malware used the Gozi ISFB DLL to introduce the victim into the browser and to conduct web injections. The size of the DLL was about 150 KB and was a valid Portable Executable (PE) file.

New versions of Nymaim began to use not the DLL, but the Gozi ISFB code itself. Instead of a 150 KB file, Nymaim now injects 40 KB of buffer into the browser. This buffer has all the features of Gozi ISFB. But there are some differences: now it is no longer a valid PE file, its structure is different and represents a shell code. It uses the Import Address Table (IAT) and no PE headers.





The old version of Nymaim, where Gozi ISFB DLL is used





New buffer and new hybrid function jmp_nymaim_code (below)







This part of the code is executed whenever Gozi ISFB is required by Nymaim to perform the operation. In this case, the function prepares the required parameters, the type of operation, the size of the allocated memory, etc. for Nymaim. Then Nymaim comes into operation and returns the result for Gozi ISFB.



The MD5 hash in this case is 2A9093307E667CDB71884ECC1B480245.



How to protect yourself?



It is not so easy to do. The malware described above is unique and can create major problems for both individuals and the entire company. In order to avoid such a development of events, it is necessary to follow the usual rules of working with information in organizations.



True, this does not always help, especially if the company has many employees working with computer equipment with access to the network.



In this case, we also recommend using our security tools: IBM Security Trusteer Pinpoint Malware Detection and IBM Security Trusteer Rapport . These services provide timely detection of infected devices on the network, destruction of malware if the system is already infected, and prevent the process using various protection methods.