Despite the efforts of different law enforcement agencies and several private security companies to disrupt a massive GameOver ZeuS botnet in early June, a new variant of the malware has been uncovered.
Security researchers from Malcovery say that the mutation they found is fresh, as they found that one of the domains used for command and control activity had been registered on Thursday, July 10, in China, and it was active.
The operators of the new GameOver ZeuS strain deliver the malware through spam purporting to be notifications from financial institutions, fake messages from banks such as M&T and NatWest being among the samples caught by the security researchers.
The emails come with an attachment, which, once opened, executes the malware payload and communication with command and control servers (C2) is initiated in order to receive instructions.
Malcovery security engineers noticed that the fresh variant relies on a domain-generation algorithm (DGA) that “bears a striking resemblance” to the original GameOver ZeuS.
DGA is used to generate a large number of random domain names, and only a small amount of them is contacted by the malware in search of one that responds to the requests and provides the instruction set.
After contacting the FBI and Dell Secure Works, two of the parties involved in the takedown of the botnet, dubbed Operation Tovar, in early June, Malcovery experts could confirm that the C2 servers used for that botnet were still under their control.
In an official statement, the Department of Justice “reported that all or nearly all of the active computers infected with GameOver Zeus have been liberated from the criminals’ control and are now communicating exclusively with the substitute server established pursuant to court order.”
A difference compared to the original malware is that the newly discovered variant no longer uses the peer-to-peer architecture.
Furthermore, “in addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux hosted C&C strategy,” say the security experts in a blog post.
The FBI estimated that the GameOver ZeuS botnet led to losses of more than $100 / €73.5 million. Since the source code for GameOver ZeuS was still in the hands of the cybercriminals, this comeback should not come as a surprise.
Towards the end of June, security researchers from Arbor Networks announced that they found evidence of an active malicious campaign that was based on the GameOver Trojan and which evaded the takedown.