Dell SecureWorks Counter Threat Unit safety analysts team have analyzed the Gameover ZeuS Trojan, also known as P2P ZeuS. This malware is being used in one of the world’s most complex botnets, related to online banking fraud.
Botnet operators are well connected with other cyber criminals in illegal communities and rely on different tools and services provided by them. This particular group uses the Cutwail spam botnet in order to attract new victims and Pony Loader to steal account data and download additional malware such as Gameover ZeuS.
This August, CTU analysts discovered that perpetrators use new Upatre loader in addition to Pony loader to distribute their malware. The executable is small and simple. When installed, Upatre uses SSL connection to download and execute the malware and, after being activated, self-replicates into temporary directory, launches temporary copy and terminates the current process, deleting the original malware by the way. Along with Pony Loader, this backdoor downloader uses Cutwail for distribution purposes.