IBM has discovered a new piece of malware that has stolen $4 million from more than 24 American and Canadian banks in just a few days. The hackers combined code from two malware types, known as Nymaim and Gozi, to create GozNym, a Trojan both persistent and powerful. Numerous credit unions and popular e-commerce platforms were also said to have been targeted. Security experts from Tripwire, Proofpoint and ESET responded below.
Travis Smith, senior security research engineer at Tripwire:
“Cyber criminals have specialties just like their white hat counterparts. By taking bits of code from different pieces of malware, they are able to create their malicious payload quicker than writing everything from scratch. This will reduce their time to exploit and increase potential profits from criminal activity.
Data is the currency of the 21st century, however criminals are still interested in real currency as well. Banks and e-commerce sites face attacks from criminals seeking both sets of currency. Organizations should monitor critical systems for suspicious changes as well as limit network connectivity to prevent data leakage in the event of a breach.”
Bryan Burns, VP of Threat Research at Proofpoint:
“Last week we published findings that a threat actor sent approximately a third of a million, highly personalized phishing emails in an attempt to deliver a number of malware payloads and Nymaim was part of that scheme. Earlier this year we uncovered that Nymaim had switched from delivering ransomware to delivering banking Trojans. These campaigns primarily use malicious document attachments, and occasionally malicious URLs, as they try to infiltrate systems. We see these infection attempts on a regular basis and stop the attacks before they reach our customers.
Bad actors are specifically targeting financial organizations and employees who have a higher chance of interacting with banking websites on behalf of the company. For organizations, properly defending against Nymaim attacks requires best-of-breed advanced threat solutions that can detect and block attachment-based and URL malware campaigns.”
Mark James, security specialist at ESET:
“These days malware is getting so much more complicated and intelligent, and it is a continued race between writers and detectors to do their respective tasks. There are so many different forms of malware around today and combining different versions to create hybrid pieces is an effective way of developing malware that is stealthy and successful, which is exactly what we have here. In addition to this, by creating a modified piece of malware you would in theory create something that is not being currently detected. Generally the motivation behind this is for monetary gain so there’s no better target than the banks themselves, with an estimated cache so far of $4 Million, it proves this particular venture is working.”