NewGOZ malware sees 1,879 percent infection boom in July

NewGOZ is a variation of Gameover Zeus

Infection rates of the latest Gameover Zeus malware variant “NewGoz” rose by 1,879 percent in July, despite efforts from law enforcement to shut down the criminal operation, according to security firm Arbor Networks.

Arbor Networks’ Asert team reported uncovering the trend after running a series of sinkholes against NewGOZ.

“It has been a few weeks since news broke of the Gameover Zeus variant known as NewGOZ. The major change in this version is the removal of the P2P command and control (C2) component in favor of a new domain generation algorithm (DGA),” explained the team in a blog post.

“Date-based domain-generation algorithms make for excellent sinkholing targets due to their predictability, and provides security researchers the ability to estimate the size of botnets that use them. With this in mind, we have gathered five days’ worth of NewGOZ sinkhole data.”

Asert security analyst Dave Loftus, told V3 the operation revealed an alarming 1,897 percent spike in NewGoz infections during the period, peaking at 8,494 victims.

“Between July 21 and July 25, during which time a spam campaign targeting the UK was active, we observed a 1,879 percent increase in the number of new Gameover Zeus infections. Once computers are infected, the malware is used to steal banking credentials from its victims,” he said.

Fellow Asert analyst Dennis Schwarz added that the team found evidence that the campaign is leveraging the Cutwail botnet to mount UK-focused strikes.

“The Cutwail botnet has been used to distribute spam e-mails containing the malware. These spam e-mails are designed to trick victims into thinking that they have been sent from UK financial institutions, indicating that individuals in the UK have been deliberately targeted,” he said.

“The infections are spread across the UK, with many clustered in large cities such as London, as well as many boroughs.”

Loftus said the firm expects to see further growth in infection numbers in the very near future, but added it will still be some time before the operation matches the success of its predecessor Gameover Zeus.

“In any case, this new variant still has a lot of work to do to catch up with its former P2P version, which was consistently estimated in the hundreds of thousands to millions of infections at various times during its reign.”

“Our sinkhole data suggests further growth. Last week, as our blog post was getting prepped to be published, the threat actor behind NewGOZ had stopped registering new C2 domains for a few days. We thought that maybe this was going to indicate a change in tactics, but the actor has restarted to register C2 domains again this week,” he said.

The news follows a co-ordinated takedown operation against Gameover Zeus. The operation saw enforcement agencies across the globe partner with numerous security firms to temporarily shut down the Gameover Zeus botnet in May.

Schwarz recommended business take a variety of protective measures to protect themselves from NewGOZ.

“Do not open email attachments from unknown sources or login to online banking websites from untrusted computers. Additionally, it’s important to keep software such as Java, Adobe Flash and Adobe Reader updated, as these new versions often contain important security related fixes,” he said.

“Large businesses that have the ability should proactively monitor their network for suspicious activity. People may also want to consider deploying Microsoft’s Enhanced Mitigation Experience Toolkit to help reduce the exploitation of vulnerabilities in software.”

The NewGOZ malware is one of many new attack tools uncovered in recent weeks. Trend Micro reported uncovering a cyber campaign using an advanced malware, codenamed Poweliks, to steal information from Microsoft Windows customers earlier in August.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

14 August 2014 | 10:51 am – Source: v3.co.uk

Leave a Reply

Your email address will not be published.