GozNym Banking Malware

Three members of an international organized cybercrime group that was behind a multi-million dollar theft primarily against U.S. businesses and financial institutions have been sentenced to prison, the U.S. Justice Department announced.

The criminals used the GozNym banking Trojan to break into more than 4,000 victim computers globally, primarily in the United States and Europe, between 2015 and 2016, and fraudulently steal nearly $100 million from their banking accounts.

In May this year, Europol dismantled the cybercrime network behind GozNym, with the United States issuing charges against a total of ten members of the group, 5 of which were arrested at that time, while five others, including the developer of GozNym, remain at the run.

In a federal court in Pittsburgh on Friday, Krasimir Nikolov, one of the group’s members, was sentenced to a period of time served after having served over 39 months in prison for his role as an “account takeover specialist” in the scheme, and will now be transferred to Bulgaria.

Nikolov, 47, was arrested in September 2016 by Bulgarian authorities and extradited to Pittsburgh in December 2016 to face federal charges of criminal conspiracy, computer fraud, and bank fraud.

“Nikolov used the victims’ stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal victims’ money through electronic transfers into bank accounts controlled by fellow conspirators,” the DoJ said in a press release.

Two other GozNym group members sentenced on Friday—Alexander Konovolov and Marat Kazandjian—also participated in the scheme and sentenced to seven and five years of imprisonment, respectively. Both were arrested and prosecuted in Georgia.

While Konovolov served as a primary organizer and leader of the GozNym network that controlled over 41,000 infected computers and recruited cybercriminals using underground online criminal forums, Kazandjian was his primary assistant and technical administrator.

GozNym is a notorious banking Trojan that was developed by combining two known powerful Trojans, Gozi ISFB malware—a banking Trojan that first appeared in 2012, and Nymaim—a Trojan downloader that can also function as ransomware.

Web Application Firewall

The malware, primarily delivered via massive malspam campaigns to hack on victims’ Windows PCs, waits for victims to enter their banking passwords into their web browser, captures them, and then used them to break into victims’ bank accounts and fraudulently transfer funds to their own accounts.

GozNym malware network was hosted and operated through “Avalanche” bulletproof service, whose administrator was arrested in Ukraine during a search in November 2016.

“This new paradigm involves unprecedented levels of cooperation with willing and trusted law enforcement partners around the world who share our goals of searching, arresting, and prosecuting cyber criminals no matter where they might be,” said U.S. Attorney Scott W. Brady.

The victims of this cybercrime network were primarily U.S. businesses and their financial institutions, including a number of victims located in the Western District of Pennsylvania, though the DoJ did not name any.

Source