A new Trojan which is based on the binary of GameOver Zeus (GOZeus) binary has been detected.
According to a blog by Malcovery, this was distributed as the attachment to three spam email templates which claim to have come from NatWest bank. Malcovery analysts confirmed with the FBI and Dell SecureWorks, who aided in the takedown last month, which the original GameOver Zeus was still “locked down”.
The company said that it was able to identify a number of the command-and-control hosts believed to be involved in this attempt to revive the GameOver botnet and following contact with the hosts, the malware began to exhibit behaviours characteristic of the GameOver Trojan—including the characteristic list of URLs and URL substrings targeted by the malware for Web injects, form-grabs, and other information stealing capabilities.
Lancope director of security research, Tom Cross, said: “This new variant uses different command and control domains than the one that law enforcement targeted last month. This development was predicted by the law enforcement agencies and researchers involved in the initial botnet takedown, and it indicates that the operators of this botnet intend to continue to engage in this sort of computer crime. Certainly, the anti-botnet community will continue to fight them.”
A spokesperson at Jisc, said: “The two-week period that the NCA’s action gave provided a unique and invaluable opportunity to raise awareness and clean many infected systems. We expected that when the means of defence become public knowledge that we would start to see those groups adapt and change their tactics through the following weeks and months.
“Our sector is treating information security as a process of continual improvement to stay ahead of the game. Through Janet CSIRT, Jisc continues to provide advice to universities and colleges and research institutions on current threats, best practice and defence.”
In an email to IT Security Guru, Chris Boyd, malware intelligence analyst at Malwarebytes, said: “GOZeus was always going to reappear in one form or another. It’s rare that old, successful code exits stage left forever instead of being rerolled elsewhere – especially when dealing with the high reward payoffs that GOZeus can bring about.
“The new features and functionality will certainly keep researchers on their toes, and the distribution method – emails with zips attached – is a timely reminder that the old classics never die.”
In other news, Bitdefender reported that the CryptoLocker ransomware has not been active since the latest takedown operation last month, but its delivery network is still up and running.
The disruption last month saw communications between infected devices and the botnet cut off, and while communications have been disrupted, the CryptoLocker infrastructure is still up, Bitdefender said it is currently being used by other cyber criminals for scams, fake anti-viruses, fraud, casino schemes and even for the Citadel banking Trojan.
“At the moment, the fate of Cryptolocker is undetermined. Infected computers all over the world are still trying to call home to pre-determ
ine URL addresses created using the DGA algorithm, but they are unable to resolve the corresponding IP addresses,” Bitdefender noted in its report.
Cross said: “It is critically important that people have good system backups. The best defence against Cryptolocker is to be able to restore your system from a recent backup instead of paying a ransom to criminals. Paying these ransoms helps fuel the continued operation of a criminal enterprise and I strongly advise people not to do it.”