The New GameOver Zeus Variant (newGOZ) Spams Again

Almost two weeks ago, PhishMe identified a new Trojan based almost entirely on the notorious GameOver Zeus variant. The new GameOver Zeus variant demonstrated many of the same behaviors and characteristics of the original. The most notable change between these two Trojans was the abandonment of the peer-to-peer botnet used by the older GameOver Zeus. Instead, the new variant used a new fast-flux infrastructure. However, much of the behavior—and malicious capabilities— of the original was retained in this newer form of the malware.

Today, a large number of spam emails were received and analyzed by PhishMe in one of the most intense attacks of recent days. Furthermore, analysis of this emerging threat demonstrated that criminals are not only attempting to capitalize on the heritage of functionalities associated with GameOver Zeus but, they are also making incremental advancements.

The new GameOver Zeus malware variant utilized new spam email templates, with the emails distributed by the Cutwail spam botnet. These entirely new sets of message content present the greatest likelihood of evading spam detection and mitigation—thereby increasing the likelihood that the hostile emails will be delivered to end users and the malware payload will be delivered.

The spam email messages distributing this malware make use of common malicious spam themes. The new spam email templates were recently confirmed by Brett Stone-Gross of Dell SecureWorks as having been distributed by the Cutwail botnet.

The file attached to these spam messages is downloader that was once specific to the peer-to-peer GameOver Zeus Trojan. This downloader has previously been known to make use of as many as 50 locations to obtain payload files. This helps to ensure the malicious payload is delivered. If one location is blocked, there are 49 other possible download locations that can be used.  Today’s sample was delivered with a single hard-coded payload URL rather than the large list seen in previous deployments of this downloader.

The risk of infection – and the chance of infections spreading like wild fire – is considerable. Only 5 of 53 antivirus software vendors – as reported by VirusTotal – correctly identified the downloader as malware. Furthermore, the GameOver payload obtained by this downloader was only marked as malicious software by only 4 of 53 antivirus software products. Like its predecessor, the new malware variant drops a modified copy of itself that generates a unique checksum for every new infection.

Once the newGoZ binary has been executed, it begins to cycle through domain names produced by a domain generation algorithm seeking out an active command and control host. At the time of analysis, four such hosts were active and distributing configuration data to infected bots.

dwgu4j8n210w18spq9rsz0uzj[.]biz
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88
hmeyx8mxqrxe1uwcn5w1win68w[.]net
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88
szaj031k3ha447pniqr1003qx6[.]org
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88
1stze0f1u7of3z18wu4in5prafy[.]net
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88

One of the most notable aspects of this malware’s behavior is its list of targeted URLs, obtained from the command and control infrastructure following infection. These URLs primarily represent those locations on the Web at which the threat actor hopes to steal private information from victims. Many of these URLs are locations involved with online banking and are specific to certain banking institutions. Others are related to online shopping, the intention being to obtain card details that are used to pay for goods purchased online. The following represent examples of some of those targeted URLs.

Some of those URLs are included with nomenclature used by the older GameOver Zeus Trojan, which denotes that a specific activity is to be carried out at those URLs such as the taking of screenshots or the addition of malicious content to a webpage via web inject.

When we first announced the new GameOver Zeus variant – we have named it newGOZ internally -the malicious actors behind the malware were using a fairly limited spam distribution method.  The light spam volume may have been in part due to a desire to take a test run with the new malware. With today’s higher volume spam campaign, we believe we will be seeing much more of the newGOZ malware in the coming days and weeks.  While it is too early to tell if this will become a dominant malware system like the old GameOver Zeus, PhishMe is sharing information widely about the new threat in the hope that we can stop this botnet before it grows out of control.

Two Major Media Outlets Fall Prey to Hackers
PhishMe reveals source and metrics behind new phishing attack

Leave a Reply