Investigation services from different European countries have taken action against a gang of malware distributors. The group used the GozNym bank trojan to steal more than one hundred million dollars from more than 41,000 victims. The malware mainly affected companies and banks.
Investigation services from various Eastern European countries such as Bulgaria, Moldova and Ukraine took part in the campaign. Germany, the United States and Georgia were also involved in the action. It was coordinated by Europol, which presented details this afternoon. Ten of the suspects are being charged in Georgia, Ukraine, Moldova and the United States for making the malware. In Germany, two suspects are also charged with laundering the loot and five suspects are still on the run. According to Europol, they are from Russia.
The gang had developed proprietary malware known as GozNym. It has been active since 2016. The name is a contraction of the two malware families from which GozNym is derived: Nymian, which infects computers via an exploit kit, and Gozi, which can steal login information via the browser. The malware was mainly used to steal bank details from victims. The source code of those two existing viruses leaked out years ago. The malware also had various encryption techniques on board to bypass detection by virus scanners.
The leader of the gang offered the malware as a service on the internet. He recruited several gang members in Russian forums, who helped him to further develop the malware. Buyers of the malware spread it on a large scale and thus managed to infect more than 41,000 victims according to Europol. Infections went through drive-by downloads and through attachments in phishing emails.
According to Europol, the investigation started as early as November 2016. Then the German authorities took an Ukraine hosting provider offline that would be used to host more than 20 command and control servers for malware, including GozNym.