US security firm Malcovery has detected new malware targeting customers of NatWest and other banks that it believes is a mutation of the Gameover Zeus Trojan – showing that cyber criminals are successfully bypassing the recent global ‘takedown' that stopped the malware family in its tracks.
In a 10 July blog, Malcovery's Brendan Griffin and chief technologist Gary Warner said they had spotted a new Trojan based on the Gameover code being distributed as an attachment to spam emails, purporting to come from NatWest Bank.
Once opened, the malware mimics Gameover by using a domain generation algorithm (DGA) method to contact its command botnet via a list of specially set up websites with random-looking domain names.
Malcovery says this approach “bears a striking resemblance to the DGA utilised by the Gameover Trojan” - whilst it uses a different list of domains, because the Gameover domains are still locked down.
This follows the successful disruption of Gameover and the Cryptolocker ransomware family in late May, through a global joint exercise by the FBI, Europol and the UK's NCA dubbed ‘Operation Tovar' that involved knocking out all the malware's command servers.
The authorities warned at the time that users might have just two weeks before the malware was back – but Malcovery confirmed this week with the FBI that the original Gameover infrastructure is still locked down.
As a result, it says the cyber criminals have adopted the new variant and new sites to get back ‘in business'.
In its blog, Malcovery explained that the new malware “exhibited behaviours characteristic of the Gameover Trojan—including the characteristic list of URLs and URL substrings targeted by the malware for web injects, form-grabs and other information-stealing capabilities.”
It added: “This discovery indicates that the criminals responsible for Gameover's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.”
One difference, Malcovery said, is that the original Gameover used a peer-to-peer method to connect the malware to its command servers, with the DGA method there as a backup.
The new variant drops this peer-to-peer approach in favour of ‘fast flux' hosting, which hides the attack behind a fast-changing network of hijacked host servers (botnet), to make it more difficult to take down.
Malcovery's analysis is supported by industry expert Brian Krebs who confirmed in a 10 July blog describing their findings: “Cyber crooks today began taking steps to resurrect the Gameover Zeus botnet, a complex crime machine that has been blamed for the theft more than £60 million from banks, businesses and consumers worldwide. The revival attempt comes roughly five weeks after the FBI joined several nations, researchers and security firms in a global and thus far successful effort to eradicate it.”
Krebs said that the new mutation “shares roughly 90 percent of its code base with Gameover Zeus”.
Meanwhile, Lancope director of security research, Tom Cross, told journalists via email: "This new variant uses different command and control domains than the one that law enforcement targeted last month. This development was predicted by the law enforcement agencies and researchers involved in the initial botnet takedown, and it indicates that the operators of this botnet intend to continue to engage in this sort of computer crime.”
But analysing Malcovery's discovery, Webroot threat researcher Roy Tobin down-played the significance of the report.
He told SCMagzineUK.com via email: “The botnets that were taken down recently will no doubt be rebuilt by the criminals. As for what we are seeing now, there are a huge number of variants of this malware, each one can be custom-designed to fit a certain purpose. For instance a few months ago they were dropping Cryptolocker, which itself will no doubt come back to the front soon.”
Tobin added: “This particular variant of Zeus malware has been seen in the wild using various different file names (MIDO.exe, etc) but it follows the usual Zeus behaviour in that it creates a registry run key. We have seen a huge number of this type of infection over the last few months.”
Last month, SC also reported that despite the recent takedown, security researchers at Arbor Networks' ASERT division had found cyber criminals using Gameover, alongside a tweaked variant of the Citadel botnet, to target a number of small European banks.
Malcovery could not be contacted for additional comment at the time of writing.