Gameover Zeus re-emerges without peer-to-peer capability

Dell SecureWorks Counter Threat Unit™ (CTU) researchers have observed the distribution of a modified version of the Gameover Zeus malware. The global Gameover Zeus infrastructure was disrupted in late May 2014 by law enforcement and private industry partners during Operation Tovar. The infrastructure, including its peer-to-peer (P2P) network, remains under the control of those organizations and is not available to the threat actors who originally operated it. The new version has jettisoned the P2P component in favor of a centralized command and control (C2) infrastructure that is based on a previously unseen domain generation algorithm (DGA).

CTU researchers observed this latest version of the Gameover Zeus malware at approximately 10:00 am EDT on July 10, 2014 in a spam email sent by the Cutwail botnet (see Figure 1). Other lures containing the same malware were also observed around that time.

Figure 1. Cutwail botnet spam email containing the new Gameover Zeus variant. (Source: Dell SecureWorks)

Opening the attached ZIP archive reveals a malicious file named "E-statement.pdf.scr" (MD5: 5e5e46145409fb4a5c8a004217eef836) that displays a familiar Adobe Reader PDF icon. When executed, the malicious file creates a modified copy of itself inside a directory under %AppData% or %Temp%. Both the filename and directory name are random; for example, Beexfkaaj.exe, Keebzaityli.exe, and Koumygubwoi.exe. Stolen data is stored in %AppData% as a file with another randomly generated name and extension, such as xiip.obm, veok.ywg, and aveh.bir.

The malware iterates through a list of potential C2 servers created by an internal DGA. Previous Gameover Zeus versions relied primarily on the P2P component for communication but reverted to a DGA if no peers could be contacted. The new DGA used in this version generates 1,000 domains per day. Each domain name contains 21 to 28 lowercase alphanumeric characters under the .com, .net, .biz, and .org top-level domains (TLDs). For example:

• bmo0ve7lxujkiid9sycsfxb.biz
• 1gkdng316lekt41ohkj3yi1gxzt.net
• 1x162cb489ebmyfibcyujrg7.com
• 1m29d4pp9t4t910tf4htihifak.org
• 1odurmg100mx3pojsrt51d95f0o.com

When the malware successfully contacts a live C2 server, the malware sends RSA-encrypted data using an HTTP POST request on TCP port 80 (see Figure 2). The use of RSA ensures bots can communicate only with attacker-controlled assets.

Figure 2. Gameover Zeus phone-home traffic over HTTP. (Source: Dell SecureWorks)

The C2 servers observed as of this publication are hosted on a separate proxy botnet that uses a double fast-flux DNS configuration. This botnet, which is operated and rented out by a different threat group than the one operating this Gameover Zeus variant, has been used by dozens of malware families over the past year, including Rerdom, KINS, Pony Loader, and Andromeda. It typically includes several hundred to several thousand hosts at a time, mostly located in Russia and Ukraine.

At approximately midnight EDT, July 11, 2014, CTU researchers sinkholed one of the domains generated by the Gameover Zeus DGA. In the twelve hours following, the domain was contacted by 177 active compromised systems. Table 1 shows the geographic distribution of these compromised systems.

Table 1. Geographic distribution of systems compromised with latest Gameover Zeus variant.

To mitigate exposure to this threat, CTU researchers recommend that organizations use available controls to restrict access using the indicators in Table 2. The domain in the indicators table may contain malicious content, so consider the risks before opening it in a browser.

Table 2. Indicators for the Gameover Zeus malware variant.