Security experts from Cisco Talos have uncovered a new malware strain called Goznym, which includes combines features of Gozi and Nymaim.
Goznym Contains Gozi and Nymaim Legacy Features
GozNym is new malware threat that features the capabilities of two famous other strains – Gozi and Nymaim.
Gozi is a widely known and popular banking Trojan that is known for its Domain Generation Algorithm (DGA) and its ability to install rootkit into the Master Boot Record (MBR) of the victim machine.
Nymaim on the hand appeared in 2013 as a malware used mainly to deliver ransomware, being delivered notably with the Black Hole exploit kit. The source code of the threat included anti-analysis techniques.
The authors of GozNym probably used the leaks of the Gozi Trojan to improve its code base and to create their own version. The new malware uses various additions to introduce improved anti-detection mechanisms.
The GozNym Trojan has become a much-improved banking Trojan. The Cisco Talos experts have been able to successfully reverse engineer the DGA associated with the malicious C&C servers. The exposed details give an overview of how the Trojan and its operators work.
GozNym Is Sophisticated
The Cisco Talos researchers have identified four variants so far that have different features according to the used Domain Generation Algorithms (DGAs). It is possible that they were all crafted and distributed by the same hacker or group as there are several overlaps in the use of the same Command and Control remote servers where the malicious files reside.
In several scenarios the samples contacted the same servers can prove the hypothesis. The experts also identified that the distribution servers have also delivered multiple versions of the GozNym malware.
The threat is being distributed in several phishing campaigns. The payload downloader is bundled in an infected Microsoft Word document with VBA macros. Upon their execution, they initiate an HTTP GET requests that download the binary file.
The theme of the spam campaign is similar to others by posing as legitimate tax invoices, payment documents or other important data. The operators of the GozNym malware have taken the time to carefully research their targets by customising the contents of the message.
One of the campaigns the researchers contain VBA macros that appear as legitimate invoices from Bank of America. The attackers have also tried to further convince the targets of enabling the macros in Microsoft Word by using a notification.
Another campaign distributed the malware by posing as tax invoice and including references to the QuickBooks software.
The malicious VBA script is obfuscated using ROT substitution. Once the binary has been executed by the victim, the malware is unpacked and allocates a buffer into the rundll32.exe process. The contents of GozNym are then copied it. The binary file is run using a fake command argument that consists of a random option with a random DLL name. The malware will then attempt to inject the main data into this process, once successful it begins communications with the remote C&C servers.
The GozNym variants use several anti-analysis and obfuscation methods to make analysis more difficult. Also the malware uses at least one encrypted memory region which is decrypted on-demand. Another interesting feature is that the code makes use of custom structures to store and pass various data during the execution of GozNym.
Some Further Information About GozNym
GozNym can determine if the infected machine has an active connection to the Internet by performing a DNS query to Google and Microsoft. The first data transfer that it initiates is via encrypted HTTP POST requests that give the attackers the information about the host system. This includes the Windows Version, Machine ID and the checksums of the computer name, username, and all stored encryption keys. The RC4 encryption key is generated using a partial key which is stored in the binary file along with some randomly generated bytes. The malware can build a buffer that contains the randomly generated part of the key, the contained encrypted data and the size of both arrays. All of this is packaged and send through a base64 scheme to the remote servers.
As a consequence of this complicated procedure, GozNym is difficult to detect in network traffic. Every field of the C&C communication is randomly generated or encrypted using this partial key setup. The researchers at Cisco Talos have created a sinkhole server which received 23 062 beacons within the first 24 hours of its activation. This is from a total of 1854 unique IP addresses, meaning that the threat has infected many networks.
For more detailed information you can read their full report on the team’s blog.