Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/16/2019
03:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Charges Members of GozNym Cybercrime Gang

The FBI and counterparts from other nations say group infected over 41,000 computers with malware that steals banking credentials.

US law enforcement authorities and their counterparts from five other countries have announced charges against 10 members of an international cybercrime operation that attempted to steal an estimated $100 million from organizations in the US and elsewhere in 2016.

An indictment unsealed Thursday by the US Attorney's Office for the Western District of Pennsylvania accused the individuals of committing bank fraud, wire fraud, and money laundering, in an operation of a sophisticated, international cybercrime network called GozNym.

Five of the indicted individuals are based in Russia and remain fugitives from justice, the US Department of Justice announced Thursday. The other individuals are based in Georgia, Ukraine, Moldova, and Bulgaria and face prosecutions in their respective countries.

A eleventh individual, Krasimir Nikolov, aka pablopicasso, was arrested in Bulgaria and extradited to the US in December 2016 on related charges. He has since pleaded guilty to participating in the GozNym operation. Nikolov is scheduled for sentencing in Pittsburgh federal court August 30, 2019, the DOJ said.

"The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime," US Attorney Scott Brady of the Western District of Pennsylvania said. "This prosecution represents an international cooperative effort to bring cybercriminals to justice."

According to the indictment, the eleven individuals belonged to a gang that stole money from the bank accounts of businesses located mostly in the United States and Europe.

The group is alleged to have infected tens of thousands of computers with GozNym, a malware for stealing online banking credentials from the infected systems. GozNym was designed to lurk on a system and wait until a user attempts to access their bank account online - then the malware steals their username and password and transmits them to a server controlled by the attackers.

Certain members of the GozNym crew then used the stolen credentials to access the victim's bank account, to steal money from it, and launder the funds via US and foreign bank accounts controlled by the gang.

An April 2016 IBM blog described GozNym as a hybrid malware tool that combines the best features of two earlier banking Trojans—Nymaim and Gozi. At the time, IBM said the malware was being actively used in attacks against customers of more than two-dozen banks in the US and Canada and had resulted in the theft of millions of dollars.

Limor Kessem, global executive security advisor of the X-Force team at IBM, says GozNym-facilitated fraud attacks amounted to over $4 million of dollars in losses within just the first few days of its activity. "[GozNym] was unique because the malware authors had created a double-headed monster," Kessem says.

GozNym combined the Nymaim dropper's stealth and persistence and Gozi's capabilities to facilitate wire fraud on infected user devices, she notes. "[It made] for a powerful combination like nothing else in the cybercriminal toolkit arena at the time," Kessem says.

The alleged leader of the GozNym operation was Alexander Konovolov, 35, a Tbilisi, Georgia native who often used the online handles NoNe and none_1, when carrying out his criminal activities. Konovolov is alleged to have controlled some 41,000 computers infected with GozNym malware.

Sophisticated Criminal Team

According to the indictment, Konovolov assembled the GozNym team by recruiting members via underground Russian-language speaking online forums. Many of the members that Konovolov recruited were individuals who advertised their specialized technical skills and availability on these forums.

Among them was Marat Kazandjian, 31, of Kazakhstan and Tbilisi, Georgia. The indictment against Kazandjian describes him as being Konovolov's primary assistant and technical administrator. Both Konovolov and Kazandjian are being prosecuted in Georgia.

Most of the other indicted members of the GozNym gang had specific and separate roles within the operation. 

Gennady Kapkanov, 36, of Ukraine is charged with operating Avalanche network, a so-called bulletproof hosting service on which the GozNym malware was hosted and from where it was distributed worldwide. Kapkanov is alleged to have offered similar malware hosting services for at least 200 other cybercriminals. Ukrainian authorities arrested Kapkanov in November 2016 after he shot at law enforcement officers conducting a search of his facilities. He is being prosecuted in Ukraine for his role in the GozNym campaign.

Moldova-national Eduard Malanici, 32, is accused of helping encrypt GozNym malware so it could evade detection by anti-malware tools and other security controls on victims. Malanici, along with two other unnamed accomplices, will stand trial in Moldova.

Vladimir Gorin, one of the five indicted individuals that currently remain free in Russia, is charged with developing, leasing, and managing GozNym. Another Russian national, Ruslan Katirkin, was an account-takeover specialist who used the credentials obtained by the GozNym malware to break into victim accounts and steal money from them.

Three other indicted individuals—Alexander Van Hoof of Ukraine, Viktor Eremenko, of Russia, and Farkhad Manokhin also of Russia—are accused of operating bank accounts for receiving and laundering funds stolen from the victims of the GozNym campaign. Katirkin, Eremenko, and Manokhin currently remain at large in Russia. Makokhin was actually arrested in 2017 in Sri Lanka and was awaiting extradition to the US when he managed to flee from the country and escape to Russia.

Nikolov, the only member of the gang that is facing prosecution in the US so far, was a "casher" or account-takeover specialist. Like Katirkin, his role in the GozNym operation was to use stolen credentials to break into bank accounts and steal money from them.

Though five of the indicted individuals remain free, they run the risk of capture and extradition if they set foot in a country with an extradition agreement with the US.

"If there's anything that discourages crime, it is seeing that it doesn't pay," Kessem says. The persistence of law enforcement in tracking down the alleged perpetrators over three years is also a win for cybercrime victims, especially organizations that can lose millions to such fraud attacks, Kessem says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The State of Email Security and Protection
Mike Flouton, Vice President of Email Security at Barracuda Networks,  11/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18881
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
CVE-2019-18882
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
CVE-2019-18873
PUBLISHED: 2019-11-12
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the pa...
CVE-2019-18874
PUBLISHED: 2019-11-12
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.