- SMB Spotlight
The hacker gang behind the notorious Gameover Zeus campaign has returned to action by attempting to spread a weaker, less complex version of the original malware.
Director of security research for Zscaler Deepen Desai revealed the campaign in a blog post, reporting that the firm spotted the attack while examining a wave of spam messages being sent from the Cutwail botnet.
"We started seeing infection reports involving a new Gameover Zeus variant early last month (July 2014). The major infection vector still remains the same where the Cutwail botnet is being leveraged by the cyber criminals to send out spam emails with a malicious attachment," read the post.
"The malicious attachment on most occasions masquerades as a financial PDF document in order to lure an unsuspecting user into opening it. Once the user opens the attachment, it downloads the latest Gameover Zeus variant from a predetermined location."
Desai said the new version has the same information-stealing goal as it predecessor, but uses more basic technologies. "The previous Gameover Zeus variant used a peer-to-peer (P2P) command-and-control protocol in addition to a failover domain generation algorithm (DGA), to establish connection with a C2 server," he said.
"However, this newer variant does not feature a P2P command and control protocol, instead it is falling back to the old DGA with fast flux tactics to hide the C2 servers. This, in our opinion, is a step backward as P2P was a more resilient feature."
Law enforcement agencies across the globe, including the UK National Crime Agency (NCA), temporarily shut down the original Gameover Zeus botnet, which was estimated to have enslaved between 500,000 and a million computers at its peak in June.
Despite not catching the author of the malware and the campaign, it is believed to have caused untold damage to the original Gameover Zeus operation. Desai said the DGA architecture is one of several technical downgrades.
"Another step backward that we observed is the absence of the kernel-mode rootkit that was pushed out as an update early this year by the Gameover Zeus operators in the previous version. The rootkit made removal of the malware extremely difficult and disabled multiple security features on the infected system," he explained.
Zscaler is one of many security firms to report uncovering a new Gameover Zeus version. Malcovery Security reported finding an evolved, more resilient version of the Gameover Zeus botnet sending out malicious spam messages in July.
Combating criminal operations has been an ongoing goal of European law enforcement. Europol's European Cybercrime Centre (EC3) launched a Joint Cybercrime Action Taskforce (J-CAT) pilot programme in a bid to take on cyber crime operations, such as Gameover Zeus, on Monday.