Gameover ZeuS


GameOver ZeuS, also known as peer-to-peer 'ZeuS, ZeuS3, and GoZeus', is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.
The original GameOver ZeuS was propagated through spam emails containing links to websites that would download the malware onto the victim's computer. The infected computer was then integrated into a botnet, considered to be one of the most sophisticated and secure botnets in the world at the time. The GOZ botnet was particularly notable for its decentralized, peer-to-peer infrastructure, which combined with other security measures such as rootkits made shutting down the botnet extremely difficult. The botnet's activities were additionally directed by an organized crime group headed by Bogachev, which was primarily based in Russia and Eastern Europe. The syndicate further complicated attempts to combat it by law enforcement and security researchers using a large money laundering network and DDoS attacks, used as both retaliation and as a form of distraction during thefts.
In 2014, the original GameOver ZeuS botnet was shut down by a collaboration between several countries' law enforcement and private cybersecurity firms, named Operation Tovar. Bogachev was indicted shortly after and a reward of $3 million was issued for information leading to his arrest, at the time the highest reward for a cybercriminal in history. Less than two months after Operation Tovar was executed, a new strain of GameOver ZeuS was discovered. Named "newGOZ", it lacked peer-to-peer capabilities but otherwise shared ninety percent of its codebase with the original GOZ. The involvement of the original GameOver ZeuS administrators in newGOZ's activity since its creation is disputed.

Background and early history

Zeus

is a family of Trojan horses and related crimeware which first appeared in 2007. The chief characteristic of Zeus variants are their ability to integrate infected machines into botnets, systems of multiple devices that could be controlled remotely through the malware.
The creator and main developer of the original Zeus was Evgeniy Bogachev, also known as "lucky12345" and "slavik". The original version of Zeus was "kit malware"—a prospective cybercriminal would purchase a license to use a copy of Zeus or obtain an inferior, free version. With the license, the purchaser could use Zeus to make their own Trojan, which they could use as they pleased. In late 2010 Bogachev announced that he was retiring from cybercrime and handing over Zeus's code to a competitor called SpyEye. Security researchers viewed the move with skepticism, as Bogachev had on multiple previous occasions announced his retirement only to return with an improved version of Zeus. In fact, Bogachev had not retired, but had transitioned from selling Zeus as kit malware to the general criminal underground to selling access to fully completed versions of the Trojan to a narrower clientele. This "private" version of Zeus became known as Zeus 2.1, or Jabber Zeus. Jabber Zeus-facilitated crimes were run by an organized crime syndicate, of which Bogachev was a key member, which largely dissolved in 2010 due to police action.

Origins and names

GameOver ZeuS was created on September 11, 2011, as an update to Zeus 2.1. In May 2011, the source code for Zeus was leaked, resulting in a proliferation of variants. Security researchers have variously attributed the leak to Bogachev or Aleksandr Panin, the creator of SpyEye. Cybersecurity advisor Sean Sullivan noted that the leak was convenient for Bogachev, who could refocus on new criminal ventures whilst investigators were distracted by the new Zeus variants.
Researchers became aware of the GameOver ZeuS botnet in 2011. In January 2012, the FBI issued warnings to companies instructing them to look out for GOZ. The name "GameOver ZeuS" was invented by security researchers, and comes from a file named "gameover2.php" used by the C2 channel. Other names have included peer-to-peer ZeuS, ZeuS3, and GoZeus. The malware was known within Bogachev's crime network as Mapp 13, "13" being the version number.

Criminal activity

''Modus operandi'' and management

GameOver ZeuS was spread using spam emails impersonating various groups such as online retailers, financial institutions, and cell phone companies. The emails would contain a link to a compromised website from which the malware was downloaded. These spam emails were sent via a different botnet, Cutwail, that was frequently rented out by cybercriminals to send spam.
Usage of GameOver ZeuS was managed by Bogachev and a group that referred to itself as the "business club". The business club consisted mostly of criminals who had paid a fee to be able to use GOZ's interface. By 2014 there were around fifty members of the business club, mostly Russians and Ukrainians. The network also employed technical support staff for the malware. The criminal network's members were spread across Russia, but the core members, such as Bogachev, were mainly based in Krasnodar. Business club members did not exclusively use GOZ and were often members of other malware networks. Nonetheless, the United States Department of Justice described the group's members as "tightly knit".
In addition to the business club, a large number of money mules were recruited to launder stolen funds. Mules, based in the US to avoid suspicion, were recruited through spam emails sent by the GOZ botnet, offering part-time work. Money mules were not aware that they were handling stolen funds or working for a criminal syndicate.
The business club controlled all GameOver ZeuS activity from 2011 to 2014. The syndicate primarily used GOZ to engage in bank fraud and extortion, however, other revenue streams such as click fraud and renting out the botnet were known to exist.

Bank theft and interface

GameOver ZeuS was typically used to steal banking credentials, commonly from hospitals. This was primarily done via keystroke logging. However, the malware was capable of using browser hijacking to bypass two-factor authentication, and its interface had a special "token grabber" panel to facilitate these man-in-the-browser attacks, titled "World Bank Center" and with the slogan "we are playing with your banks". By presenting the victim with a false version of their bank's login page, a criminal could request whatever code or information was needed to log into the victim's account. Once the victim "logged in" to the false page with this information, they would receive a "please wait" or error screen while the credentials were sent to the criminals. With this information, the malware operators could access the bank account and steal money, usually hundreds of thousands or millions of dollars. In one instance, $6.9 million was stolen from a single victim. In 2013, GOZ accounted for 38% of thefts pursued in this manner.
Beginning in November 2011, the operators of GOZ would conduct DDoS attacks against banking websites if they were stealing a large amount of money, in order to prevent the victim from logging in and to divert the attention of network administrators away from the theft. The DDoS attacks were performed using a commercially available kit named "Dirt Jumper". Stolen money was routed through a large network of money mules before it made it to the criminals, hiding its origin and destination from authorities. By June 2014, more than $100 million was stolen in the United States alone.
The siphoning of money followed the day-night line, beginning in Australia and ending in the United States. Criminals involved in money movement worked nine-to-five shifts from Monday to Friday, handing over responsibilities to whatever team was west of them when their shift ended. The final destination of most money mule transfers were shell companies based in Raohe County and the city of Suifenhe, two regions in China's Heilongjiang province on the China–Russia border.
The interface controlling the botnet could be used to read data logged by the bots and execute commands. In addition to the token grabber panel, another panel existed to facilitate the siphoning of money from bank accounts, allowing the user to select a "destination account" that money would be indirectly sent to. Botnet managers were also allowed to load their own scripts to use against infected systems, with the caveat that they could not attack Russian computers.

CryptoLocker

In 2013, the business club began to use GameOver ZeuS to distribute CryptoLocker, a piece of ransomware that encrypted the contents of victim computers and demanded payment in prepaid cash vouchers or bitcoin in exchange for a decryption key. Josephine Wolff, assistant professor of cybersecurity policy at Tufts University, has speculated that the motivation behind pivoting to ransomware was for two reasons. Firstly, ransomware was a more secure means of making money from GOZ than bank theft, as ransomware could take money from victims for less work on the criminals' ends and the anonymous payment methods did not need to be laundered through money mules, whose loyalties were in question because they did not know they were working for criminals. Secondly, ransomware took advantage of the criminals' access to data on infected computers that was significant to victims but was of no immediate value to criminals, such as photographs and emails. Journalist Garrett Graff has also suggested that ransomware served to "transform dead weight into profit" by extracting money from victims whose bank balances were too small to warrant directly stealing from.
Between 200,000 and 250,000 computers were attacked by Cryptolocker beginning in 2013. The amount of money Bogachev and associates made from CryptoLocker is unclear; Wolff claimed that in a one-month period from October to December 2013 alone, $27 million was stolen. However, Michael Sandee, one of the researchers who helped take down the original GameOver ZeuS botnet, has given a much lower estimate of $3 million for the entire duration of CryptoLocker's activity. Wolff has argued that GameOver ZeuS's legacy lies not in its innovative P2P botnet structure, but in the precedent it set in CryptoLocker for future ransomware attacks.