Bad Actors rebuild from scratch the Gameover Zeus Botnet

Experts at Arbor networks discovered a new variant of GameOver Zeus Botnet which implement DGA scheme.

Recently law enforcement agencies have taken down the GameOver Zeus botnet with a multinational effort, but a few weeks later, researchers at Seculert spotted a new variant in the wild, which implements a domain generation algorithm.Investigators from FBI and Europol coordinated their activities to seize servers and domains used by bad actors, that authorities discovered was also used to distribute CryptoLocker ransomware.

Experts at Seculert noticed that the DGA scheme allowed the botnet to pass from 1,000 new bots a week, to 1,000 a day on average.  According to experts at Arbor networks, cybercriminals behind the malicious infrastructure have renewed it. As explained by Dave Loftus, security analyst at Arbor Networks until law enforcement arrest the member of the gang behind the GameOver Zeus botnet, the growth of the malicious network will continue.

GameOver Zeus was involved in financial frauds, the malware is able to steal banking credentials from infected machines.

The researchers identified, thanks to sinkhole analysis, at least 12,353 unique IP addresses worldwide belonging to the new GameOver Zeus botnet.

Between July 18 and July, the experts at Arbor Networks used five sinkholes to collect the connection of malicious instances of GameOver Zeus worldwide.

“The steady growth of newGOZ demonstrates the resilience of the attackers to keep their botnet active,” “While previous efforts to disrupt the botnet have been successful, these disruptions are usually only temporary. Until law enforcement can successfully prosecute the individuals behind the botnet, we expect the growth of newGOZ to continue well into the future.” said Loftus.

GameOver Zeus botnet implements a peer to peer communication protocol that makes it hard to detect and more resilient to the mitigation action of law enforcement and security firms for the lack of a centralized control. The new GameOver Zeus no longer utilizes the P2P protocol but but generates a series of domain with a DGA algorithm, this makes easy for bad actors to quickly rebuilding their malicious infrastructure even more law enforcement take down it.

“Our sinkhole data reinforces steady growth of new Gameover Zeus since we started tracking the botnet,”.

Loftus referencing the data provided by Malcovery firm, which observed in mid-July hat the Cutwail botnet began distributing new GameOver Zeus via spam campaigns, said:

“Our sinkhole data provides a first look at how successful these spam campaigns have been. Between July 21-25, we observed a 1,879 percent increase, confirming that the cybercriminals are actively rebuilding their botnet from scratch.”

The most infections were in the United States and India, Internet service providers, telecommunications and education markets were most affected.

Pierluigi Paganini

(Security Affairs – GameOver Zeus, cybercrime)