New GOZ first steps
From the very begining of the operation against the infamous Murofet/Gameover/ZeusP2P banking trojan (known as Operation Tovar) the botnet growth has stalled and it seems it has been abandoned since then. Instead of recovering control over the botnet, it seems that botmasters (or new ones) decided to create a new botnet from scratch using a new GOZ version. We will analyze the main new features throughout the post.
- The new trojan has replaced the Peer-to-Peer (P2P) mechanism in favor of a Fast-Flux network using a new domain generation algorithm (DGA).
- The public key included within the trojan (which is XORed in the same way) is no longer used to verify the signature of the resources exchanged via P2P and is now used as part of the classic symmetric + asymmetric communication schema in which the payload is ciphered with the symmetric key whilst the random generated key is ciphered with the public key before it is sent to the command and control server. The scheme is similar to the one used, for instance, by Cryptolocker (Murofet related) or Cridex/Bugat/Feodo/Geodo.
Taking into account DGA is based on a hardcoded seed, creating a new botnet is just a matter of changing both, the seed, and the public key in the binary.
Whereas the cypher has been kept unchanged in some way, there has been some modifications due to the new communication scheme seen above. In short:
- RC4 is maintained for the configuration stored in the system registry
- The communication with the command and control panel is now based on AES256 + RSA.
The configuration has remained largely unchanged. In fact, most injections and target entities are old and they even contain variables which belongs to features no longer present on the current version like those related with the P2P proxy:
Therefore, it seems that we are facing what seems to be a lite version of GOZ which, somehow, reminds us Licat, its predecessor. Far from reducing the prominence of the trojan, even if the configuration files may lead us to think that it has been released in haste, features such as the DGA seed may lead to a boom of new GOZ botnets which will start a new cat and mouse chase.