Anyone have expierience removing GozNym yet?

[Frick]

Last week I received a phone call from a client. They said they were on their bank web portal, and shorlty afterwords got a phone call from their bank fraud department. The person on the phone said they identified the cleint's computer as being infected with the GozNym trojan and blocked its actions from the server side. They instructed the client to call their IT support about it, and recommended installing IBM Trusteer Rapport.

This whole situation initially set off red flags of being a general phone scam, but found it odd they didnt try get get a remote session, install software, exploit money to remove it, etc. GozNym is very new, and all over the news for already stealing millions of dollars.

I ran full virus and rootkit scans (Bitdefender, Malwarebytes, Kaspersky, etc) and all come back clean. While I dont generally like Trusteer, I am familiar with it and installed it (its free and works with many banks) temporarily. Sure enough it says it is actively blocking GozNym!

The issue I am having is there is absolutely no info on how to identify it and remove it. If you search the web you only get news stories, general info, and crappy old SpyHunter (and their parent company Enigma Software) with their hundreds of fake websites saying "how to remove" malware. Of course they dont tell you anything helpful and are all ads for SpyHunter (for those that dont know, SpyHunter is garbage and you should probably never use it).

I am going to NP the machine, but wanted to see if anyone on here has any info or experience with the Trojan.

 

[ComputerRepairTech]

nope, but if you google Nymaim you may get some hints isnt the loader based on that code?

 

[ComputerRepairTech]

Yeah I couldnt find much info on it, not even sure if its a dynamic injection or not. Are all browsers effected?

 

[Frick]

I tested IE and Chrome, both got flagged by Trusteer. From what I read, all browsers are affected. The makers look to have outdone themselves

I did try to look at info on Nymaim but this new variant appears to have enough changes to hide incredibly well. As I said, I am going to wipe/reload the system this week as to not put too much work into this issue, but wanted to see if anyone knew anything.

 

[FremontPC]

Putting '-spyhunter' at the end of your query can help filter out Enigma's annoying ankle-humping tactics.

 

[glennd]

The issue I am having is there is absolutely no info on how to identify it and remove it. If you search the web you only get news stories, general info, and crappy old SpyHunter (and their parent company Enigma Software) with their hundreds of fake websites saying "how to remove" malware. Of course they dont tell you anything helpful and are all ads for SpyHunter (for those that dont know, SpyHunter is garbage and you should probably never use it).

OMG my father in law put that on his computer. He even paid for it. I can't talk him out of it.

 

[glennd]

You're right, everyone's talking about it and no-one's saying much. There was this one tidbit:

"Kessem said the Trojan is being delivered primarily via email messages with so-called poisoned macros in a malware-infected attachment. Attackers then manipulate the victim’s browser, steal credentials and transfer money out of their accounts."

 

[MDD1963]

When money is at risk, and any doubts at all exist about possible infections...nuke and pave!

 

[nlinecomputers]

But is it real or a false positive?

 

[Frick]

But is it real or a false positive?

With IBM's xforce (security team) discovering the trojan, and IBM's bank security software flagging it on the system, and the clients bank calling to let them know they identified it on their computer....I doubt it is a false positive.

I guess it could be some big conspiracy for IBM to gain trust in their Trusteer software [emoji33] [emoji89] [emoji1]

 

[Frick]

When money is at risk, and any doubts at all exist about possible infections...nuke and pave!

I fully agree.

 

[nlinecomputers]

With IBM's xforce (security team) discovering the trojan, and IBM's bank security software flagging it on the system, and the clients bank calling to let them know they identified it on their computer....I doubt it is a false positive.

I guess it could be some big conspiracy for IBM to gain trust in their Trusteer software [emoji33] [emoji89] [emoji1]

I'm not convinced. You have ONE source making that claim and no tools finding the infection. Time to slap wireshark on the unit and see what it is transmitting.

 

[nlinecomputers]

I fully agree.

I also agree. I would grab an image of it for forensic analysis but client safety calls for an N&P.

 

[mraikes]

AmericanBanker.com has a good write up on this. Including some hints on why it's difficult to detect:
http://www.americanbanker.com/news/...e-1080530-1.html?zkPrintable=1&nopagination=1

And a little more detail in exact function from SecurityAffairs: http://securityaffairs.co/wordpress/46683/malware/goznym-trojan-targets-europe.html

A few interesting takeaways:

1. You can rent this software for only about $500/month to do your evil bidding.
2. It's both an encryptor/ransomware and bank credential theft program. You get to choose what it does!
3. It's smart. That is, a small precursor program might watch how the computer is used and monitors to see if it accesses bank accounts. Then you can make the encryption/bank theft decision.
4. It's targeted. That is, it doesn't work with every bank and account, but rather is specifically designed to attack certain banks/credit unions and systems.

And still I don't see any reputable sites talking about how to detect it (apart from systems like Trusteer that can spot it in action on banking sites) or remove it.

 

[CW2CAK]

I work for a bank that has been plagued by this malware. Some of our customers have had success with RogueKiller and/or Webroot. The problem is that you have to get rid of the "dropper" file that the malware inserts in the local windows profile. Otherwise every time you get rid of the active Trojans, the user reboots; tries to access their bank; and the trojans re-load.
Also don't expect to see an obvious malware name on the malicious files. The ones that I have seen almost appear to be random file names (executables) with a numeric component. They show up on the registry in the RUN and RUNONCE entries as well as in the users start file. They will be something like "random-5.exe" (that is just an example NOT one that i have actually seen.)
The most effective removal technique appears to be Nuke & Repave