Banking Trojans Combine to Siphon $4 Million in a Few Days


A new piece of malware has been discovered by security researchers at IBM and has reportedly stolen $4 million from over 24 U.S. and Canadian banks, in a matter of just a few days.

A new ‘chimera’ Trojan made from a combination of two malware strains has been discovered. The two malware types are Nymaim and Gozi, combing to create GozNym.

The new hybrid is a powerful Trojan, putting together the best (or the worst) of both strains of malware. It leverages the stealth and persistence of the NYmaim malware, while it takes after the Gozi to borrow from the banking Trojan’s capabilities to trigger fraud through infected internet browsers.

Speaking to ThreatPost, Limor Kessem, a cybersecurity expert at IBM’s X-Force Research division stated:

GozNum is an extremely stealthy Trojan combining the best of both Nymaim and Gozi ISFB to create a very problematic threat. The attack numbers for GozNym have been extremely high given it’s only been around since April.

As things stand, the hybrid malware has targeted its victims with its primary delivery method for payload – email messages. The Trojan is embedded within infected macros in a malware-infected attachment. The attackers have devised the Trojan to manipulate the victim’s browser before stealing their credentials to then transfer money out of their bank accounts.

The combo-malware has already targeted retail banks, popular e-commerce websites, credit unions and banking institutions. IBM researchers have determined that the Trojan is currently engaged in an active campaign with a staggering 72% of its targets.

The breakdown of the hybrid Trojan’s targets are as follows:

  • 28% – Business Banking
  • 27% – Credit Unions
  • 22% – Ecommerce
  • 17% – Retail Banking
  • 6% – Others

Another source close to researching the malware in a different company anonymously told Forbes that the hybrid GozNym virus was also discovered in Asia.

A technical description of the Trojan has been detailed by IBM researchers and can be found here.

Image credit: Wikimedia.