$100M ‘GozNym’ Bank Trojan Gang: 6 Arrested, 5 at Large

These five handsome specimens are wanted for an alleged conspiracy—to steal $100 million from bank accounts. Six others are in custody after a coordinated operation by European and U.S. law enforcement. All are said to be part of the GozNym malware network.

The perps allegedly have infected 41,000 PCs via phishy spam campaigns. They’re alleged to have extracted money in real time, as victims typed in their banking credentials.

It’s a win for international cooperation. In today’s SB Blogwatch, we can’t unsee those faces.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: unnatural acts in PowerPoint.


Who Ya Gonna Call? Goz’busters

What’s the craic? Graham Cluley writes from his secret headquarters—“$100 million GozNym cybercrime network dismantled”:

 Suspected members of the GozNym cybercrime network have been charged in relation to the … theft of tens of thousands of people’s [money, plus] sensitive personal and financial information. … The sophisticated conspiracy saw victims’ computers infected with the GozNym malware in order to steal … passwords, and funds stolen from compromised accounts and laundered … around the world.

GozNym itself was a hybrid of two previously-discovered strains of malware: Gozi and Nymaim. … Alexander Konovolov from Georgia, is said to have admitted controlling a 41,000-strong botnet of compromised computers infected with … GozNym.

At a live-streamed news conference at Europol’s headquarters in The Hague, representatives from the United States, Germany, Ukraine, Georgia, Moldova, and Bulgaria described in detail how the malware operation had attempted their $100 million hack. … The arrests of the gang are a direct consequence of December 2016’s takedown of Avalanche, a network of infrastructure used as a delivery platform to launch and manage global malware attacks and money mule recruiting campaigns.

Need more info? Climb aboard the Brian Krebs cycle: [You’re fired—Ed.]

 Law enforcement agencies in the United States and Europe today unsealed charges against 11 alleged members of the GozNym malware network [which is] suspected of stealing $100 million from more than 41,000 victims … between October 2015 and December 2016. … According to the indictment, the GozNym network exemplified the concept of ‘cybercrime as a service.’

[It’s] related to the 2016 arrest of Krasimir Nikolov, a 47-year-old Bulgarian man who was extradited to the United States. … Prosecutors say Nikolov, a.k.a. “pablopicasso,” “salvadordali,” and “karlo,” was key player in the GozNym crime group who used stolen online banking credentials captured by [the] malware to access victims’ online bank accounts and attempt to steal their money. [He] entered a guilty plea in federal court in Pittsburgh on charges relating to his participation.

Vladimir Gorin, a.k.a “Voland,” “mrv,” and “riddler,” of Orenburg, Russia allegedly was a malware developer. [Allegedly] 32-year-old Eduard Malancini, a.k.a. “JekaProf” and “procryptgroup” from Moldova, specialized in “crypting.” … 28-year-old Muscovite Konstantin Volchkov, a.k.a. “elvi” … allegedly provided the spamming service used to disseminate malicious links. … 36-year-old Gennady Kapkanov from Poltova, Ukraine … is now facing prosecution in Ukraine for his role in providing bulletproof hosting services. … Four other men named in the indictment were accused of recruiting and managing “money mules.”

It’s good to see this crime network being torn apart, even if many of its key members have yet to be apprehended. These guys caused painful losses for many companies — mostly small businesses — that got infected with their malware.

International crime needs international law-enforcement. So say U.S. Attorney Scott W. Brady and FBI Special Agent Robert Jones—“Cyber-Criminal Network Operating out of Europe Targeting American Entities Dismantled”:

 International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership. The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime.

Cybercrime victimizes people all over the world. This prosecution represents an international cooperative effort to bring cybercriminals to justice.

This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized cybercrime. Successful investigation and prosecution is only possible by sharing intelligence, credit and responsibility. Our adversaries know that we are weakest along the seams and this case is a fantastic example of what we can accomplish collectively.

Victims of the GozNym malware attacks include:

  • An asphalt and paving business located in New Castle, Pennsylvania;
  • A law firm located in Washington, DC;
  • A church located in Southlake, Texas;
  • An association dedicated to providing recreation programs and other services to persons with disabilities located in Downers Grove, Illinois;
  • A distributor of neurosurgical and medical equipment headquartered in Freiburg, Germany, with a U.S. subsidiary in Cape Coral, Florida;
  • A furniture business located in Chula Vista, California;
  • A provider of electrical safety devices located in Cumberland, Rhode Island;
  • A contracting business located in Warren, Michigan;
  • A casino located in Gulfport, Mississippi;
  • A stud farm located in Midway, Kentucky; and
  • A law office located in Wellesley, Massachusetts.

And on the other side of the pond? Europol—“Cybercriminal network dismantled in international operation”:

 An unprecedented, international law enforcement operation has dismantled a complex, globally operating and organised cybercrime network. … Over the course of the international operation, searches were conducted in Bulgaria, Georgia, Moldova and Ukraine. Criminal prosecutions have been initiated in Georgia, Moldova, Ukraine and the United States.

This operational success is a result of the international law enforcement cooperation between participating EU Member States … as well as Georgia, Moldova, Ukraine and the United States. … Europol, the European Agency for Law Enforcement Cooperation as well as Eurojust, the European Union’s Judicial Cooperation Unit supported the case. This operation showcases how an international effort to share evidence and initiate criminal prosecutions can lead to successful operations in multiple countries.

The leader of the GozNym criminal network, along with his technical assistant, are being prosecuted in Georgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia. [The] apartment [of] an administrator of the “Avalanche” network … in Poltava, Ukraine, was searched in November 2016 during a German-led operation to dismantle the network’s servers and other infrastructure. Through the coordinated efforts being announced today, this alleged cybercriminal is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.

Are we happy? This Anonymous Coward says it “actually makes me happy”:

 It’s nice to see meaningful law enforcement action happen for the sake of taking down unequivocally unjust people, especially in an international setting where multiple enforcement agencies are involved. It almost leaves hope that we can have a world where law enforcement is both competent and there to help decent people.

Also, I feel like cyber-criminals of the sort and scale as those of the GozNym gang often escape retribution, and it is nice to see them face consequences for their actions. I would say I hope they end up in Bulgarian prison, but I know they will be charged harder and remain behind bars for longer under the penalties provided by the CFAA in the US than they could possibly be in any other country.

Bring ’em home.

Presumably this didn’t happen overnight? IBM’s Limor Kessem celebrates “GozNym Closure”:

 In April 2016, [we] came across a new banking Trojan that seemed a little too familiar … a Trojan hybrid … spawned from the Nymaim and Gozi ISFB malware. … Attacks amounted to over $4 million in losses within the first few days.

GozNym leveraged the Nymaim dropper’s stealth and persistence and the Gozi ISFB parts added the banking Trojan’s modules and its capabilities to facilitate wire fraud. … They teamed up with the Avalanche botnet … to spread the malware and link up with other elite cybercriminals.

Spreading out this quickly and efficiently is no small feat. … Creating and maintaining redirection attacks is a resource-heavy endeavor. … Spreading a banking Trojan to countries … where banking systems differ, entails people on the streets. … GozNym collaborators had the contacts to help them craft and spread quality malspam in those languages, work the redirection attacks simultaneously in different parts of the world, receive backing from local organized crime to facilitate cash-out, and move the money out quickly.

Europol, in collaboration with the DOJ, have managed to reach and arrest … 10 defendants in five countries. … This successful operation is a meaningful event. It … serves as a warning to both existing and would-be criminals. … It is also a reminder that the quick sharing and democratizing of threat intelligence is a critical part of fighting cybercrime.

So spam is still a huge threat? Sorry, Dave:

 Seems the entry point is always an email or URL link on a website; people (especially untrained/uneducated) are always the weakest link. Click, click, click.

We’re always talking about weak cyber defenses within organizations’ networks, but maybe we should all take a closer look at security on ad servers and mail exchange servers. I for one would like to see all email with spoofed ‘From’ addresses or obfuscated URLs deleted immediately.

$100 million here, $100 millionM there. Pretty soon you’re talking serious money. Martijn Grooten clarifies:

 Note the ‘tried’ that some stories have have missed: Europol only said the gang attempted to steal $100m.

Not sure how much was actually stolen and how they derived this figure.

Meanwhile, Mikko Hyppönen—@mikko—makes a subtle dig at his oh-so peaceful neighbors to the east:

 Online criminals are not always Russian.

And Finally:

Unnatural Acts in PowerPoint


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: FBI

Featured eBook
The State of DevSecOps

The State of DevSecOps

For years now, IT’s mantra has been “move quickly and break things.” To increase agility, companies adopted innovative and quick development practices. Great redesigns took place in the wake of DevOps. However, in this rush to implement forward-thinking practices, many teams eschewed security. No longer can institutions disregard security requirements within their DevOps environment. The ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 54 posts and counting.See all posts by richi