17 May 2019

International police dismantled a cybercriminal network behind GozNym malware

International police dismantled a cybercriminal network behind GozNym malware

In a joint international law enforcement operation officials took down a major global organized cybercrime network responsible for stealing an estimated $100 million from more than 41 000 financial institutions and businesses around the world.

The gang infected victims’ computers with GozNym banking trojan to capture their online banking credentials, which it used to fraudulently gain unauthorized access and steal money from victims’ online bank accounts and then launder those funds using US’s and foreign beneficiary bank accounts controlled by the criminals.

GozNym malware is based on two known powerful trojans - Gozi ISFB malware, a banking Trojan that has been in the wild since 2012 and Nymaim, a ransomware that is also capable of downloading additional malware onto affected device. Like most hacking campaigns GozNym trojan was distributed through legitimate looking spear-fishing emails containing malicious links and attachments, which downloaded the malware on victims’ computers. To ensure that GozNym remains undetected by anti-virus products one of the members of the gang encrypted trojan.

To hide their tracks the attackers hosted malicious domains and GozNym downloads on the servers of the Avalanche network - a bulletproof service that, according to Europol, provided services to more than 200 cybercriminals, and hosted more than twenty different malware campaigns, including GozNym. Last year the alleged leader of the Avalanche was arrested in Ukraine.

Now US’ and EU's law enforcement authorities have tracked down and charged ten members of GozNym cybercriminal network. Five of them were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine, including the leader of the GozNym network who along with his "technical assistant" is being prosecuted in Georgia by the Prosecutor's Office of Georgia and the Ministry of Internal Affairs of Georgia. However, five Russian nationals charged in connection with GozNym remain on the run, including the developer of malware itself. According to the FBI, they reside in Russia.

Back to the list

Latest Posts

Multiple foreign ministries and think tanks targeted in suspected North Korean cyber espionage campaign

Multiple foreign ministries and think tanks targeted in suspected North Korean cyber espionage campaign

The command and control server and IP address used in the new phishing campaign were previously observed in the Kimsuky campaign ties to North Korea.
23 August 2019
New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Featured vulnerabilities
Multiple vulnerabilities in OpenPGP.js
Medium Patched | 23 Aug, 2019
Multiple vulnerabilities in Apache HTTP Server
Medium Patched | 23 Aug, 2019
Improper access control in Smart TV Box
Medium Patched | 23 Aug, 2019