Gameover Zeus Variants Targeting Ukraine, US

Gameover Zeus has recently started to use Domain Generation Algorithms as OpenDNS security Labs pointed out here. We have spotted two versions in the wild: one of them generates 1.000 domains per day and the other – 10.000. The generated domains are active for only one day each, so by sinkholing a particular domain, we can observe the botnet’s structure and activity for the corresponding day.
After sinkholing 5 domains for 5 different days for each of the two botnets, we noticed that some things remained constant, which let us draw some interesting conclusions. The botnets corresponding to those two DGAs are very different when it comes to countries of interest. The first version seems to have a bigger infection density in the US, which is not a surprise for anyone as most of the malware families extort money from there. The world-wide distribution of this version (including all the sinkholed domains) is illustrated in the figure below:

The data confirms the findings of Peter Kruse from CSIS Security. So, 4.936 out of 5.907, which is 83.7%, unique IPs that contacted our sinkhole were received from US. The following table illustrates the top 10 countries being infected:
Place | Country | Number of Unique IPs | Distribution |
---|---|---|---|
1 | United States | 4.936 | 83.7% |
2 | India | 195 | 3.3% |
3 | Singapore | 76 | 1.3% |
4 | Japan | 62 | 1.1% |
5 | Germany | 44 | 0.7% |
6 | United Kingdom | 42 | 0.7% |
7 | Russia | 41 | 0.7% |
8 | China | 28 | 0.5% |
9 | Turkey | 26 | 0.4% |
10 | Mexico | 25 | 0.4% |
But, the second version is, without any doubt, targeting Ukraine and Belarus, as might be observed from the following figure:

Here we have 3.046 out of 4.316, which is 70.7%, unique IPs from Ukraine and Belarus. Its distribution in the top 5 countries is shown below:
Place | Country | Number of Unique IPs | Distribution |
---|---|---|---|
1 | Ukraine | 1.854 | 43% |
2 | Belarus | 1.192 | 27.7% |
3 | Turkey | 244 | 5.7% |
4 | Azerbaijan | 222 | 5.1% |
5 | Kazakhstan | 118 | 2.7% |
6 | Russia | 88 | 2% |
7 | Kyrgyzstan | 83 | 1.9% |
8 | Indonesia | 60 | 1.4% |
9 | Moldova | 57 | 1.3% |
10 | Germany | 55 | 1.3% |
Although there have been multiple domains registered for the botnet targeting US lately, we found none for the botnet targeting Ukraine and Belarus, meaning that no-one is using the bots at this moment. However, the bot-net could find itself with a new master anytime.
tags
Author
Right now
Top posts
Vulnerabilities Identified in Wyze Cam IoT Device
March 29, 2022
New FluBot and TeaBot Global Malware Campaigns Discovered
January 26, 2022
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
December 10, 2021
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand
November 08, 2021
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware
September 16, 2021
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021