Cyber criminals are trying to resurrect the Gameover Zeus virus more than a month after its distribution botnet was taken down by international police, according the Malcovery Security.
Victims are said to be infected through spam email attachments pretending to be from banks, with NatWest and M&T among those being impersonated.
Brendan Griffin and Gary Warner, both of Malcovery, said: "This discovery indicates that the criminals responsible for Gameover’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takedowns in history."
Once installed the malware attempts to make contact with a command and control (C&C) server, which then sends instructions on how to proceed.
According to the security firm the domain generation algorithm used to regain access to the botnet "bears a striking resemblance" to that used by the original Gameover Zeus (GOZeuS) trojan, though the two are not directly related.
"Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing," Griffin and Warner said.
They added that other sandboxes would not have noticed a successful connection, owing to the six to 10 minutes taken to generate the domain name used to launch the trojan.
In a twist from the original peer-to-peer infrastructure the criminals are using fast flux hosting, which uses proxy redirection to make botnets more resistant to takedowns.
Contacted by the security firm, the FBI and Dell claimed the original Gameover Zeus botnet was still disabled.