A two-headed monster in the world of viruses: GozNym

Employees of IBM X-Force Research have discovered a new Trojan that is a hybrid of a fairly well-known malware Nymaim and Gozi ISFB. It turned out that developers of Nymaim combined source code of the virus with a part of Gozi ISFB code. As the result they got a hybrid, which is actively used in attacks on the network of 24 banks in the USA and Canada. With this malware, cyber criminals managed to steal millions of dollars. The hybrid virus product called GozNym.

According to the information security specialists, this hybrid has taken the best from the two viruses mentioned above. From Nymaim malware inherited the ability to hide its presence from antivirus programs, from Gozi – the ability to sneak into user’s computers. GozNym informally was called the “two-headed monster”.


The developers of the new virus targeted the North America organizations of USA and Canada. It is now known about 22 victims of the virus, banks, credit institutions and the popular e-commerce platforms. Also in the list are two finance companies from Canada.

How this hybrid was created? We have already mentioned that the virus is composed of two parts of other malware. The source code of the first, Gozi ISFB, has been repeatedly uploaded in the network. For the first time it happened in 2010. The second time – in 2015, when Internet sources posted a modified version of the software. Regarding Nymaim, the only possible source of the source code is its developers. Most likely, the Nymaim team took a piece of Gozi ISFB code and combined it with their product, getting “Frankenstein in the world of viruses”.

Nymaim operates in two stages. Initially, this malware gets on computers using various exploits kits, and after getting into the PC performs the second stage – the launch of two executable files that complete the infection of victim computers.

The original virus, Nymaim, uses encryption, anti-VM, ant-debugging and obfuscation sequence of program code. Until now, the virus was generally used as a dropper. This type of malware is usually without any message (whether the operating system false error messages about the incorrect version of operating system or error in the archive and so on). Loads from the network and stores the files on the disk of the victim with their subsequent execution.

Nymaim, as you know, was created by a team of developers who run this piece of malware for several years. At the moment, the presence of traces of dropper were detected on the PC users in Europe, North and South America. Of course, not all malicious operations performed using Nymaim are documented. Nevertheless, there are evidences about 2.5 million infected with Blackhole Exploit Kit (BHEK) only at the end of 2013.

Researchers from IBM have noticed that Nymaim started using Gozi ISFB DLL module, responsible for web injections, in 2015. The final version of the hybrid, which is the full integration of the two malware was detected only in April 2016. In a hybrid incarnation Nymaim is being executed first, and then it is launching executable of Gozi ISFB.

How to protect yourself?

It is not so easy. The above-described malware is unique and can create big problems to private person and the company. In order to avoid such development, it is necessary to follow the normal rules for handling information within organization. However, this doesn’t always work, especially if the company has a lot of employees working with computers with access to the Internet.

In this case, we also recommend using protection tools: IBM Security Trusteer Pinpoint Malware DetectionIBM Trusteer Rapport and our removal tool to scan your computer for malware. These services provide timely detection of infected devices on the network, elimination of malware, if the system is already infected. Additionally, preventing the process using a variety of protection methods.

Information added: 05/04/2016 08:02 PM;