GameOver Zeus Reloaded – a new improved version in the wild

Experts from Malcovery Security have discovered that the Gameover Zeus botnet is reborn, a new improved version has emerged from the underground.

A few weeks ago we have praised a multinational effort for the takeover of the Gameover Zeus botnet, one of the most long-lived and dangerous malicious infrastructure composed by a number of compromised computers ranging from 500,000 to 1 million units.

Unfortunately, the experts from Malcovery Security have discovered that the Gameover Zeus botnet is appearing again in the wild,  a new improved version has emerged from the underground. Bad actors behind the new Gameover Zeus botnet are using it for malicious spam campaigns with the intent to steal financial information from the infected machines.

Researchers at Malcovery Security spotted a different spam messages masquerading as legitimate emails from banks and financial institutions.

“Today Malcovery’s analysts identified a new Trojan based heavily on the Gameover Zeus binary. It was distributed as the attachment to three spam email templates, utilising the simplest method of infection through which this Trojan is deployed,” “From 9.06am to 9.55am we saw spam messages claiming to be from NatWest. The longest lasting of the spam campaigns was imitating M&T Bank, with a subject of ‘E100 MTB ACHMonitor Event Notification’. That campaign is still ongoing.” states the post published by the company.

The discovery of an improved version of the Gameover Zeus botnet is not a surprise for many security experts who warned law enforcement about the possibility that cybercrime ecosystem will respond to the international takeover with new a new powerful variant and new malicious campaigns.

From technical point of view, experts at Malcovery explained that the new Gameover Zeus botnet has a more resilient control infrastructure. The attacker implemented the Fast Flux is a technique to obfuscate the true location of the command server by building a tiered infrastructure. In the Fast Flux model systems act as proxies to make difficult to track and take down the botnet.

“The malware seems to have traded its peer-to-peer infrastructure for a new Fast Flux hosted C&C strategy,” states the post.

The analysis conducted by the expert confirmed that the new GameOver Zeus trojan share many characteristic with previous version, including the list of “URLs and URL substrings targeted by the malware for Web injects, form-grabs, and other information stealing capabilities.”

The criminals responsible for the distribution of the new GameOver Zeus Botnet will probably use in the next months the infrastructure to spread different variants and type of malicious codes, including banking trojan and ransomware.

Pierluigi Paganini

Security Affairs –  (Gameover Zeus, banking)