US security firm Malcovery has detected new malware targeting customers of NatWest and other banks that it believes is a mutation of the Gameover Zeus Trojan – showing that cyber criminals are successfully bypassing the recent global ‘takedown' that stopped the malware family in its tracks.
In a 10 July blog, Malcovery's Brendan Griffin and chief technologist Gary Warner said they had spotted a new Trojan based on the Gameover code being distributed as an attachment to spam emails, purporting to come from NatWest Bank.
Once opened, the malware mimics Gameover by using a domain generation algorithm (DGA) method to contact its command botnet via a list of specially set up websites with random-looking domain names.
Malcovery says this approach “bears a striking resemblance to the DGA utilised by the Gameover Trojan” - whilst it uses a different list of domains, because the Gameover domains are still locked down.
This follows the successful disruption of Gameover and the Cryptolocker ransomware family in late May, through a global joint exercise by the FBI, Europol and the UK's NCA dubbed ‘Operation Tovar' that involved knocking out all the malware's command servers.
The authorities warned at the time that users might have just two weeks before the malware was back – but Malcovery confirmed this week with the FBI that the original Gameover infrastructure is still locked down.
As a result, it says the cyber criminals have adopted the new variant and new sites to get back ‘in business'.
In its blog, Malcovery explained that the new malware “exhibited behaviours characteristic of the Gameover Trojan—including the characteristic list of URLs and URL substrings targeted by the malware for web injects, form-grabs and other information-stealing capabilities.”
It added: “This discovery indicates that the criminals responsible for Gameover's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.”
One difference, Malcovery said, is that the original Gameover used a peer-to-peer method to connect the malware to its command servers, with the DGA method there as a backup.
The new variant drops this peer-to-peer approach in favour of ‘fast flux' hosting, which hides the attack behind a fast-changing network of hijacked host servers (botnet), to make it more difficult to take down.