17 May 2019

International police dismantled a cybercriminal network behind GozNym malware

International police dismantled a cybercriminal network behind GozNym malware

In a joint international law enforcement operation officials took down a major global organized cybercrime network responsible for stealing an estimated $100 million from more than 41 000 financial institutions and businesses around the world.

The gang infected victims’ computers with GozNym banking trojan to capture their online banking credentials, which it used to fraudulently gain unauthorized access and steal money from victims’ online bank accounts and then launder those funds using US’s and foreign beneficiary bank accounts controlled by the criminals.

GozNym malware is based on two known powerful trojans - Gozi ISFB malware, a banking Trojan that has been in the wild since 2012 and Nymaim, a ransomware that is also capable of downloading additional malware onto affected device. Like most hacking campaigns GozNym trojan was distributed through legitimate looking spear-fishing emails containing malicious links and attachments, which downloaded the malware on victims’ computers. To ensure that GozNym remains undetected by anti-virus products one of the members of the gang encrypted trojan.

To hide their tracks the attackers hosted malicious domains and GozNym downloads on the servers of the Avalanche network - a bulletproof service that, according to Europol, provided services to more than 200 cybercriminals, and hosted more than twenty different malware campaigns, including GozNym. Last year the alleged leader of the Avalanche was arrested in Ukraine.

Now US’ and EU's law enforcement authorities have tracked down and charged ten members of GozNym cybercriminal network. Five of them were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine, including the leader of the GozNym network who along with his "technical assistant" is being prosecuted in Georgia by the Prosecutor's Office of Georgia and the Ministry of Internal Affairs of Georgia. However, five Russian nationals charged in connection with GozNym remain on the run, including the developer of malware itself. According to the FBI, they reside in Russia.

Back to the list

Latest Posts

Hackers actively exploit a recently patched vulnerability in Exim email server software

Hackers actively exploit a recently patched vulnerability in Exim email server software

Millions of Exim email servers are currently under attack.
14 June 2019
FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 made several improvements to its malware arsenal, fixing bugs and making the malicious tools harder to detect.
13 June 2019
Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725.
11 June 2019
Featured vulnerabilities
Stored XSS in FortiWeb reports
Medium Patched | 13 Jun, 2019
Microsoft update for Adobe Flash (June 2019)
High Patched | 12 Jun, 2019