Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/16/2019
03:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Charges Members of GozNym Cybercrime Gang

The FBI and counterparts from other nations say group infected over 41,000 computers with malware that steals banking credentials.

US law enforcement authorities and their counterparts from five other countries have announced charges against 10 members of an international cybercrime operation that attempted to steal an estimated $100 million from organizations in the US and elsewhere in 2016.

An indictment unsealed Thursday by the US Attorney's Office for the Western District of Pennsylvania accused the individuals of committing bank fraud, wire fraud, and money laundering, in an operation of a sophisticated, international cybercrime network called GozNym.

Five of the indicted individuals are based in Russia and remain fugitives from justice, the US Department of Justice announced Thursday. The other individuals are based in Georgia, Ukraine, Moldova, and Bulgaria and face prosecutions in their respective countries.

A eleventh individual, Krasimir Nikolov, aka pablopicasso, was arrested in Bulgaria and extradited to the US in December 2016 on related charges. He has since pleaded guilty to participating in the GozNym operation. Nikolov is scheduled for sentencing in Pittsburgh federal court August 30, 2019, the DOJ said.

"The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime," US Attorney Scott Brady of the Western District of Pennsylvania said. "This prosecution represents an international cooperative effort to bring cybercriminals to justice."

According to the indictment, the eleven individuals belonged to a gang that stole money from the bank accounts of businesses located mostly in the United States and Europe.

The group is alleged to have infected tens of thousands of computers with GozNym, a malware for stealing online banking credentials from the infected systems. GozNym was designed to lurk on a system and wait until a user attempts to access their bank account online - then the malware steals their username and password and transmits them to a server controlled by the attackers.

Certain members of the GozNym crew then used the stolen credentials to access the victim's bank account, to steal money from it, and launder the funds via US and foreign bank accounts controlled by the gang.

An April 2016 IBM blog described GozNym as a hybrid malware tool that combines the best features of two earlier banking Trojans—Nymaim and Gozi. At the time, IBM said the malware was being actively used in attacks against customers of more than two-dozen banks in the US and Canada and had resulted in the theft of millions of dollars.

Limor Kessem, global executive security advisor of the X-Force team at IBM, says GozNym-facilitated fraud attacks amounted to over $4 million of dollars in losses within just the first few days of its activity. "[GozNym] was unique because the malware authors had created a double-headed monster," Kessem says.

GozNym combined the Nymaim dropper's stealth and persistence and Gozi's capabilities to facilitate wire fraud on infected user devices, she notes. "[It made] for a powerful combination like nothing else in the cybercriminal toolkit arena at the time," Kessem says.

The alleged leader of the GozNym operation was Alexander Konovolov, 35, a Tbilisi, Georgia native who often used the online handles NoNe and none_1, when carrying out his criminal activities. Konovolov is alleged to have controlled some 41,000 computers infected with GozNym malware.

Sophisticated Criminal Team

According to the indictment, Konovolov assembled the GozNym team by recruiting members via underground Russian-language speaking online forums. Many of the members that Konovolov recruited were individuals who advertised their specialized technical skills and availability on these forums.

Among them was Marat Kazandjian, 31, of Kazakhstan and Tbilisi, Georgia. The indictment against Kazandjian describes him as being Konovolov's primary assistant and technical administrator. Both Konovolov and Kazandjian are being prosecuted in Georgia.

Most of the other indicted members of the GozNym gang had specific and separate roles within the operation. 

Gennady Kapkanov, 36, of Ukraine is charged with operating Avalanche network, a so-called bulletproof hosting service on which the GozNym malware was hosted and from where it was distributed worldwide. Kapkanov is alleged to have offered similar malware hosting services for at least 200 other cybercriminals. Ukrainian authorities arrested Kapkanov in November 2016 after he shot at law enforcement officers conducting a search of his facilities. He is being prosecuted in Ukraine for his role in the GozNym campaign.

Moldova-national Eduard Malanici, 32, is accused of helping encrypt GozNym malware so it could evade detection by anti-malware tools and other security controls on victims. Malanici, along with two other unnamed accomplices, will stand trial in Moldova.

Vladimir Gorin, one of the five indicted individuals that currently remain free in Russia, is charged with developing, leasing, and managing GozNym. Another Russian national, Ruslan Katirkin, was an account-takeover specialist who used the credentials obtained by the GozNym malware to break into victim accounts and steal money from them.

Three other indicted individuals—Alexander Van Hoof of Ukraine, Viktor Eremenko, of Russia, and Farkhad Manokhin also of Russia—are accused of operating bank accounts for receiving and laundering funds stolen from the victims of the GozNym campaign. Katirkin, Eremenko, and Manokhin currently remain at large in Russia. Makokhin was actually arrested in 2017 in Sri Lanka and was awaiting extradition to the US when he managed to flee from the country and escape to Russia.

Nikolov, the only member of the gang that is facing prosecution in the US so far, was a "casher" or account-takeover specialist. Like Katirkin, his role in the GozNym operation was to use stolen credentials to break into bank accounts and steal money from them.

Though five of the indicted individuals remain free, they run the risk of capture and extradition if they set foot in a country with an extradition agreement with the US.

"If there's anything that discourages crime, it is seeing that it doesn't pay," Kessem says. The persistence of law enforcement in tracking down the alleged perpetrators over three years is also a win for cybercrime victims, especially organizations that can lose millions to such fraud attacks, Kessem says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.