An evolved, more resilient version of the Gameover Zeus botnet has emerged, sending out malicious spam messages, just weeks after the high-profile takedown operation against it by law enforcement agencies from around the world.
Malcovery Security reported the evolved campaign after spotting a number of malicious spam messages masquerading as legitimate emails from banks.
“Today Malcovery‘s analysts identified a new Trojan based heavily on the Gameover Zeus binary. It was distributed as the attachment to three spam email templates, utilising the simplest method of infection through which this Trojan is deployed,” read the post.
“From 9.06am to 9.55am we saw spam messages claiming to be from NatWest. The longest lasting of the spam campaigns was imitating M&T Bank, with a subject of ‘E100 MTB ACH Monitor Event Notification’. That campaign is still ongoing.”
The attacks are reportedly intended to steal financial information from the victim. The botnet’s re-emergence follows a high-profile global takedown operation against Gameover Zeus.
Law enforcement agencies across the globe, including the UK National Crime Agency (NCA), temporarily shut down the Gameover Zeus botnet, which was estimated to have enslaved between 500,000 and one million computers at its peak in June.
The temporary takedown was designed to give victims a window of opportunity to purge the malware from their systems, and separate the machine from the botnet‘s command-and-control (C&C) server.
Despite being called a success by the UK government, researchers in the security community warned the takedown could lead to evolved, more dangerous attacks.
Malcovery confirmed these warnings, and said the new Gameover Zeus botnet has a more robust infrastructure that makes it even more difficult to combat.
“The malware seems to have traded its peer-to-peer infrastructure for a new Fast Flux hosted C&C strategy,” read the post.
“This discovery indicates that the criminals responsible for Gameover‘s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.”
Fast-flux hosting hides botnets‘ phishing and malware delivery sites using a randomised network of compromised systems. The systems act as proxies and make it more difficult to track and take down the botnet.
Lancope director of security research, Tom Cross, said he expects the botnet to continue to develop in the near future and warned IT managers to be extra vigilant.
“It is critically important people have good system backups. The Gameover Zeus Trojan has been used in the past to disseminate Cryptolocker, a ransomware that encrypts the victim’s computer files and demands payment in order to unlock them,” he said.
“The best defence against Cryptolocker is to be able to restore your system from a recent backup instead of paying a ransom to criminals. Paying these ransoms helps fuel the continued operation of a criminal enterprise and I strongly advise people not to do it.”
The new Gameover Zeus campaign is one of many evolved cyber attacks discovered this week. FireEye researchers uncovered a new botnet, codenamed BrutPOS, targeting point-of-sale (POS) systems with advanced attacks to steal banking credentials on Wednesday.