New Bugat Malware Uses HTML Injections Taken From Gameover Zeus

Researchers have uncovered a new variant of the Bugat banking Trojan which uses HTML injection techniques that are very similar to the ones used by Gameover Zeus.

The disruption of the Gameover Zeus botnet was announced in early June by law enforcement agencies and private sector companies. Shortly after, cybercriminals launched a new version of the banking malware in an effort to create a different botnet. In the meantime, some of the techniques used by the threat have been borrowed by other malware developers for their own creations.

Etay Maor, senior fraud prevention strategist at IBM Security, reported on Thursday that a new variant of the Bugat malware, which is also known as Cridex and Geodo, has been infecting computers in the United Kingdom and the Middle East. What’s interesting about this variant is that the HTML injections it uses to steal sensitive information from victims are very similar and even identical in some cases to the ones utilized by Gameover Zeus.

“The HTML injections and scripts as well as the structure of the attack used by Bugat to target banking applications are GOZ-like,” Maor said in a blog post.

While it’s possible that the similarities are the result of a member of the Gameover Zeus team moving to the Bugat team, experts believe this scenario is unlikely because the two are competitors. The more plausible explanation for the similarities is that Bugat developers reverse engineered Gameover Zeus and copied the code responsible for Web injections.

Once it infects a device, the new Bugat ensures that victims are redirected to phishing websites whenever they try to visit the website of a financial institution. As soon as the user hands over login credentials, the malware connects to the bank’s real website and uses the information to access the account. The connection is carried out through the victim’s IP address in order to evade potential IP-based security checks implemented by the bank.

If one-time passwords, answers to secret questions or other information is requested by the bank to complete transactions, the cybercriminals can obtain it in real time with the aid of the HTML injections and social engineering.

“IBM X-Force research teams have seen a dramatic drop in the number of GOZ-infected devices and number of successful fraud attempts using this technique since the joint operation against GOZ. However, with this new variant of Bugat malware, the same successful approach seems to be coming back to life by a competing Trojan,” Maor explained.

In March, Dell SecureWorks reported that Bugat was the 7th most common piece of malware detected by the company in 2013.