HackDig : Dig high-quality web security articles for hacker

Gameover Zeus Accessorizes at Vogue.com

2014-10-10 10:50

Our researchers this week spotted a Gameover Zeus sample receiving commands to download Zemot from hxxp://media.vogue[dot]com/voguepedia/extensions/dimage/cache/1zX67.exe

Gameover Zeus is a pervasive botnet that was disrupted by authorities in June. According to the FBI at the time, “GameOver Zeus is an extremely sophisticated type of malware designed specifically to steal banking and other credentials from the computers it infects. It’s predominately spread through spam e-mail or phishing messages.” It was believed that Gameover Zeus had infected as many as 1 million PCs globally.

Infected Website Serving Zemot

Gameover Zeus spotted reaching out to a compromised vogue.com domain to download Zemot.

Based on the Zeus Trojan, Gameover Zeus has also been used to gain backdoor access into systems for delivering other malware.

This week, ThreatTrack Security Labs and researchers like @Techhelplistcom, @malware_traffic@ydklijnsma and others have spotted Gameover Zeus reaching out to a compromised vogue.com domain to download Zemot – a family of Trojan downloaders – which according to Microsoft is usually distributed via the Kuluoz botnet.

Behavior worth noting in this Gameover Zeus sample upon execution is that it crawled a list of DGA domains until it hit:

DNS     88         Standard query A 9svbrf84qup3u945hr5xp9o6.net
Standard query response A 178.251.228.148 A 109.234.36.131
178.251.228.148            POST /updatec HTTP/1.1

 It then downloaded Zemot from (hxxp://media.vogue.com/):
23.67.252.39     HTTP    284       GET /voguepedia/extensions/dimage/cache/1zX67.exe HTTP/1.1

 Zemot then hit:

DNS     70         Standard query 0xa7c6  A nitomsk.su
Standard query response 0xa7c6  A 69.158.107.75 A 46.119.126.141 A 31.129.122.203 A 195.72.158.150 A 77.121.58.98 A 46.185.104.85 A 70.31.6.211 A 77.247.22.143 A 68.45.64.5 A 37.46.237.207 A 178.136.226.195 A 75.76.166.8

Moreover, this Gameover Zeus sample seems to be an updated variant targeting financial processes we’ve not yet seen in previous reports. Below is the complete list of targeted processes.

  • Btellerplus
  • bancline
  • fidelity
  • micrsolv
  • bankman
  • vantiv
  • episys
  • jack henry
  • cruisenet
  • gplusmain
  • launchpadshell.exe
  • dirclt32.exe
  • wtng.exe
  • prologue.exe
  • silverlake
  • v48d0250s1
  • fdmaster.exe
  • fastdoc
  • bitcoin-qt *
  • way4 *
  • openway *
  • agilis *
  • smartvista *
  • tranzware *
  • deltaworks *
  • translink *

* Application processes previously unreported as targets of Gameover Zeus.

According to URLquery.net, there were several malicious files being served on the Vogue domain, which have been removed. 1zX67.exe was an active threat as late as yesterday evening.

However, at the time of this posting, the botnet has switched gears and is now calling to hxxp://frogbossgroup.ru/wp-upload/pzx2xz.exe, and it is now pushing Pony/Fareit.

Block Gameover Zues with VIPRE, which detects this threat as Win32.Malware!Drop.

Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs

The post Gameover Zeus Accessorizes at Vogue.com appeared first on ThreatTrack Security Labs Blog.


Source: /s9ezsHH6BOH/3~/ytiruceskcarttaerht/r~/moc.elgoog.yxorpdeef

“Gameover Zeus Accessorizes at Vogue.com”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud