The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.
GOZ was one of the more successful pieces of financial malware to appear in recent years, and was used by its creators to perpetrate massive wire fraud schemes around the globe. The malware differed from its older cousin, Zeus, in that it employed a P2P architecture for its command and control infrastructure, something that made it more difficult for authorities and researchers to track and defeat. Although a large joint operation between security researchers and law enforcement agencies in the United States and Europe took down the GOZ infrastructure in June, experts say they have seen definitive signs that GOZ is coming back to life.
In July researchers identified a potential new version of the GOZ malware, and just this week researchers at Arbor Networks said they have evidence that the GOZ botnet is coming back to life. The company has been operating five separate GOZ sinkholes and has seen more than 12,000 unique GOZ-infected IP addresses connecting to the servers. Now, researchers at IBM’s X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ’s penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.
“There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we’ve witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators,” Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware.
Like other similar pieces of malware, Cridex/Bugat is designed specifically to steal valuable banking credentials and other financial data. One key element of this kind of attack is the ability of the malware to capture the credentials of an infected user as he visits his bank’s site. Cridex/Bugat has the ability to detect when a user his trying to visit an online banking site and it will then redirect the victim to an identical, but attacker-controlled site, and grab the credentials as he enters them. The malware then connects to the target bank from the user’s IP address and execute wire transfers or other fraudulent transactions.
“In case the bank requests more information from the criminal during the transaction process, the criminal can obtain these data elements by using social engineering and HTML injection. These requests are presented to victims in real time. Such requests can include secret questions and two-factor authentication such as one-time passwords,” Maor said.
It’s quite common for malware gangs to adopt the successful techniques they observe in other attackers’ creations, and collaborations among malware and cybercrime gangs are not unheard of. So it would not be a surprise to see other groups pick up more of the traits that made GOZ such a success.