The international criminal gang behind the infamous Goznym malware has been disbanded following a complex law enforcement investigation in Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States.
The investigation has resulted in indictments for ten defendants, five of whom have been apprehended: Two in Germany, one in Bulgaria, one in Moldova, and the alleged leader of the gang in Georgia. Five Russian nationals involved in the operation, including the individual who developed Goznym malware, have not yet been caught.
Goznym malware has been used in attacks on a wide range of targets, including many small businesses and not-for-profit organizations. Goznym malware was used to target customers of 24 banks, credit unions and e-commerce sites in the United States and Canada.
More than 41,000 computers were infected with the malware, which was used to steal more than $100 million from bank accounts. Most of the attacks occurred between October 2015 and December 2016.
Goznym is a hybrid of two different malware variants – Nymaim and Gozi. Nmyaim is a malware dropper that is used to deliver other malware variants to compromised computers. It has been extensively used to deliver ransomware. Gozi is a banking Trojan, which is used to steal banking credentials.
Goznym was primarily distributed via emails sent through the Avalanche malware distribution network. Avalanche was dismantled in 2016 after being used for the past 7 years. The network was used to deliver various different malware variants and was used by an estimated 200 cybercriminals for conducting malware campaigns. The network included more than 800,000 domains spread across 60 different registrars.
The emails contained links to domains hosting the malware and via malicious attachments. Once Goznym was installed, the malware captured banking credentials and took screenshots and sent the information to the hackers who used the information to make fraudulent wire transfers.
The malware was offered as cybercrime-as-a-service and with the gang members comprising of cryptors, spammers, coders, organizers, money mules, and money launderers. Users of the malware benefitted from bulletproof hosting and received technical support to help them conduct campaigns.
Alexander Konovolov, 35, of Tbilisi, Georgia, the alleged leader of the gang, was responsible for leasing the malware and advertising it on underground hacking forums.
The defendants have been charged with infecting victims’ computers with malicious software to capture banking credentials, use of stolen credentials to gain unauthorized access to bank accounts, theft of funds from bank accounts, and money laundering.
The investigation involved unprecedented cross-border cooperation between Europol, the European Agency for Law Enforcement Cooperation, Eurojust, and law enforcement agencies in Germany, Bulgaria, Moldova, Georgia, Ukraine, and the United States.
“This operation showcases how an international effort to share evidence and initiate criminal prosecutions can lead to successful operations in multiple countries,” wrote Europol in a press release announcing the arrests and the dismantling of the cybercriminal network.