"The new GozNym Trojan is the combination of Nymaim and Gozi ISFB, a previous version of Vawtrak, also used to attack banks," Pablo de la Riva Ferrezuelo, CTO and founder of buguroo, a threat intelligence startup spun out of Deloitte's European Security Operations Center, said. "Though the combination creates a new strain, its end game is the same: Dynamic web injects in the end user browser."

He added, "GozNym is a perfect example of why financial institutions need technologies that can stop even brand new malware in the wild."

John Peterson, vice president of enterprise product management for the Clifton, N.J.-based cybersecurity firm Comodo, said IT departments have to look at installing modern, secure web gateways and advanced endpoint protection solutions that can stop malware and cyberattacks from hurting individuals and organizations.

"Financial services organizations and banks are the ideal targets for the cybercriminal today because they house highly valuable personal information in mass quantities – the proverbial goldmine for the cyberthief," Peterson said. "It's a harsh reality that the technology some organizations use today is as effective as installing a home security system that alerts you to a break-in after the robbers have already stolen everything, vandalized the house and left."

According to IBM, GozNym's source code is composed of the two known malware codes, one of which is Gozi ISFB, which was leaked in 2010 and late 2015. The only group known to possess Nymaim's source code is its original development team.

"The most likely scenario is that the Nymaim team obtained the leaked Gozi ISFB code and successfully incorporated it into their own malware to create a combination Trojan for financial fraud attacks," Kessem wrote.

Nymaim is a two-stage malware dropper. It usually penetrates computer security through exploit kits and then executes the second stage of its payload once it is on the machine, effectively using two executables for the infection routine. The Nymaim Trojan uses evasion techniques such as encryption, anti-virtual machines, anti-debugging and control flow obfuscation. Although it has dabbled with other banking Trojans in the past, its first tight connection with banking malware began in November 2015.

Campaigns linked to the malware were not all documented, according to the XForce team. However, related data released by an independent blogger cited more than 2.5 million infections via the Blackhole Exploit Kit in late 2013.

X-Force researchers noticed Nymaim started fetching a Gozi ISFB module, a web injection dynamic link, and using it to launch online banking attacks in late 2015.

As for the infection vector, some recent cases from 2016 revealed the Pony loader executed Nymaim, which then fetched Gozi ISFB as a third step in the infection flow.

The first merged variant, GozNym, detected in early April 2016, turned up when new Nymaim samples were embedded with Gozi ISFB in their hybrid form. Nymaim is launched first; the Gozi ISFB component is then launched in the second stage of the malware deployment.