Tool: GameOver Zeus| Names | GameOver Zeus Peer-to-Peer Zeus P2P Zeus GOZ | |
| Category | Malware | |
| Type | Banking trojan, Info stealer, Credential stealer, Downloader, Botnet | |
| Description | (US-CERT) GOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute commands. Centralized C2 servers are routinely tracked and blocked by the security community. GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection. These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data. Without a single point of failure, the resiliency of GOZ’s P2P infrastructure makes takedown efforts more difficult. | |
| Information | <https://www.us-cert.gov/ncas/alerts/TA14-150A> <http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf> <https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf> <https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf> <https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/> <https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware> <https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf> <https://www.lawfareblog.com/what-point-these-nation-state-indictments> | |
| MITRE ATT&CK | <https://attack.mitre.org/software/S0016/> | |
| Malpedia | <https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p> | |
| AlienVault OTX | <https://otx.alienvault.com/browse/pulses?q=tag:gameover%20zeus> | |
Last change to this tool card: 23 April 2021
Download this tool card in JSON format
Previous: Gamaredon
Next: GandCrab
| Changed | Name | Country | Observed | ||
APT groups | |||||
| TA505, Graceful Spider, Gold Evergreen |  | 2006-Oct 2020 |  | ||
1 group listed (1 APT, 0 other, 0 unknown)
|
Thailand Computer Emergency Response Team (ThaiCERT) Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1234 | |
 |
report@thaicert.or.th | |
 |
Download PGP key | |