A botnet leveraged by the proliferate banking Trojan GozNym has been sinkholed, after infecting over 23,000 victims across the UK, the US, and Europe. Security researchers were able to crack the domain name generation algorithm (DGA), used by the GozNym malware to communicate with the C&C (command and control servers), which in turn allowed the botnet to be brought down.
Cisco Talos security researchers were able to successfully sinkhole one of the four identified botnets being operated by GozNym operators by redirecting all the traffic from the botnet, after cracking its DGA.
Cisco Talos researchers said: "GozNym highlights the dangers of phishing campaigns and the importance of ensuring that organizations are protected from these types of threats." They added: "GozNym is a constantly evolving threat that will likely continue to morph moving forward as attackers seek to add additional features and improve upon the ones currently present within the trojan."
"GozNym is the combination of features from two previously identified families of malware, Gozi and Nymaim. There have been multiple instances in which the source code of the Gozi trojan has been leaked. Due to these leaks it was possible for the GozNym authors to make use of the 'best of breed' methodologies incorporated into Gozi and create a significantly more robust piece of malware which was now capable of utilizing strengthened persistence methods and ultimately becoming a powerful banking Trojan," Talos researchers explained.
Researchers also identified several spear phishing campaigns, which came with malicious Microsoft Word document attachments that were used to distribute the GozNym malware. The messages contained in the phishing emails were found to be specifically designed to attract the attention of targeted organisations and individuals as well. Additionally, GozNym operators were found to be attempting to exercise extreme caution, in efforts to evade detection.
DGA cracking sure-shot way to sinkhole malware
Banking Trojans and other kinds of malware generally use DGAs to allow communication between the infected hosts and the main C&C servers that often gets changed on a daily basis. DGAs use various kinds of input data to randomly generate domain names, which can then be connected to the infected hosts. When security researchers are able to crack DGAs used by cybercriminals to operate and manage their botnets, they can divert traffic away from the botnet to sinkhole the malware.
"Talos developed scripts to replicate GozNym's DGA and brute force valid IP ranges to find valid Second Stage DGA seeds. The date is non-trivially incorporated in the seeding process, so we had to brute force a new set of seed IPs for each day we wanted to sinkhole. By using a hash collision on the first domain, we could prevent GozNym victims from attempting to contact any of the other domains in the list. The machines infected with GozNym would beacon to our sinkhole server once, then get stuck in a loop with lots of sleeping and occasionally querying Google's DNS for our sinkholed domains," the researchers said.
Talos researchers said within 24 hours of sinkholing the GozNym botnet, they detected over 23,000 infected machines, most of which were found to be located in Germany, the US, Poland, Canada and the UK. Talos researchers said they have "discovered multiple DGA variants with differing configurations" and "are actively working to sinkhole all of the botnets" that they can find.