It’s only been a little more than a month since the FBI and Europol took down the GameOver Zeus botnet, taking control of its command-and-control infrastructure and effectively cutting off the malware’s head. But researchers say that there are some indications that a new strain of the malware may already be active again.
GameOver Zeus was a major source of badness on the Web for several years and the botnet was used to distribute the nasty CryptoLocker ransomware. In early June, authorities at the FBI and Europol, in cooperation with a number of security companies and researchers, seized some servers involved in the command and control of the GOZ botnet and redirected the traffic destined for those C2 servers. The operation was complicated, especially given the peer-to-peer architecture of the GOZ network.
Researchers at Malcovery Security came across a series of new spam campaigns on Thursday that were distributing a piece of malware that they say looks to be based on the GOZ binary. The campaigns mainly comprise fake notifications from financial institutions, including M&T Bank and NatWest. All of the malicious emails contain a zip file with a .scr attachment inside.
“Once the attachment was opened and the malware payload executed, the malware began to make attempts to contact certain websites in accordance with a domain generation algorithm. The goal of these contact attempts is to make contact with a server that can in turn provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing,” the analysis of the malware by Brendan Griffin and Gary Warner of Malcovery says.
“Other sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used successfully to launch the new Zeus trojan and download the bank information ‘webinject’ files from the server.”
Though the original GOZ malware also used a domain generation algorithm, this version uses a different list of potential C2 domains, thanks to the seizure of the original infrastructure.
“This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan. In addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux hosted C&C strategy,” the analysis says.
It’s not clear how many infections the new malware strain has at this point, but researchers say that the Trojan has many of the same characteristics and capabilities as the old GOZ malware.
“Malcovery was able to identify a number of the command-and-control hosts believed to be involved in this attempt to revive the GameOver botnet. Following contact with any of these hosts, the malware began to exhibit behaviors characteristic of the GameOver trojan—including the characteristic list of URLs and URL substrings targeted by the malware for Web injects, form-grabs, and other information stealing capabilities,” the analysis says.
“This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.”