Connect with us

Hi, what are you looking for?



New Bugat Malware Uses HTML Injections Taken From Gameover Zeus

Researchers have uncovered a new variant of the Bugat banking Trojan which uses HTML injection techniques that are very similar to the ones used by Gameover Zeus.

Researchers have uncovered a new variant of the Bugat banking Trojan which uses HTML injection techniques that are very similar to the ones used by Gameover Zeus.

The disruption of the Gameover Zeus botnet was announced in early June by law enforcement agencies and private sector companies. Shortly after, cybercriminals launched a new version of the banking malware in an effort to create a different botnet. In the meantime, some of the techniques used by the threat have been borrowed by other malware developers for their own creations.

Etay Maor, senior fraud prevention strategist at IBM Security, reported on Thursday that a new variant of the Bugat malware, which is also known as Cridex and Geodo, has been infecting computers in the United Kingdom and the Middle East. What’s interesting about this variant is that the HTML injections it uses to steal sensitive information from victims are very similar and even identical in some cases to the ones utilized by Gameover Zeus.

“The HTML injections and scripts as well as the structure of the attack used by Bugat to target banking applications are GOZ-like,” Maor said in a blog post.

While it’s possible that the similarities are the result of a member of the Gameover Zeus team moving to the Bugat team, experts believe this scenario is unlikely because the two are competitors. The more plausible explanation for the similarities is that Bugat developers reverse engineered Gameover Zeus and copied the code responsible for Web injections.

Once it infects a device, the new Bugat ensures that victims are redirected to phishing websites whenever they try to visit the website of a financial institution. As soon as the user hands over login credentials, the malware connects to the bank’s real website and uses the information to access the account. The connection is carried out through the victim’s IP address in order to evade potential IP-based security checks implemented by the bank.

If one-time passwords, answers to secret questions or other information is requested by the bank to complete transactions, the cybercriminals can obtain it in real time with the aid of the HTML injections and social engineering.

“IBM X-Force research teams have seen a dramatic drop in the number of GOZ-infected devices and number of successful fraud attempts using this technique since the joint operation against GOZ. However, with this new variant of Bugat malware, the same successful approach seems to be coming back to life by a competing Trojan,” Maor explained.

Advertisement. Scroll to continue reading.

In March, Dell SecureWorks reported that Bugat was the 7th most common piece of malware detected by the company in 2013.


Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.