Threat Watch

Multi-National Operation Takes Down Half of GozNym Group

GozNym: Five of the eleven members of the GozNym group, who are responsible for the creation of the GozNym malware, have been arrested and face extradition to the United States to stand trial.  GozNym was primarily used to target large companies and their financial institutions for financial theft and was a hybrid of the Gozi and Nymaim malwares.  Coordination between the FBI, Europol, and local law enforcement agencies in Germany, Bulgaria, Moldova, Ukraine, and Georgia led to the arrest of five members. One had been previously arrested in Bulgaria in 2016, and the remaining five are still at large and are believed to be in hiding in Russia.  A member who is believed to have been responsible for GozNym’s encryption and obfuscation was arrested by authorities in Moldova.  The group’s leader and his technical advisor were arrested in Georgia where they are facing prosecution, although U.S. authorities may request extradition.  The network’s administrator was arrested in Ukraine, as was one of the group’s “Cash out” personnel.  Cash out personnel specializes in quietly moving the funds from compromised accounts into accounts controlled by the group.  The sixth member of the group was arrested in Bulgaria in 2016 and has already been extradited to the United States.  One of the five members remaining at large it the developer of the GozNym malware as well as a social engineer, an account takeover specialist, and two “cash out” personnel

ANALYST NOTES

While the group could easily continue to operate with the members still at large this particular group will probably remain quiet and in hiding for the time being to avoid arrest, although others may still make use of the GozNym malware in the group’s absence or tweak the malware to create a new means of exploiting financial institutions.