Changeup created a network of infected computers (botnet) that consisted mostly of systems located in the United States and South Africa, researchers said.
The malware, a polymorphic worm that generated more than 5 million unique variants, first came to researchers’ attention in 2009 and gained the attention of the experts due to its aggressive spreading via mapped drives, removable storage devices, as well as ZIP and RAR archives.
To move to new targets, the threat started to leverage in 2010 the recently re-patched LNK vulnerability in Windows (CVE-2010-2568), which was also the one used in the Stuxnet cyber-espionage campaign.
An alert from US CERT (United States Computer Emergency Readiness Team) said Changeup, also known as VObfus, VBNA, AAEH and Beebone, morphs every few hours.
Its purpose ends up limited to downloading other pieces of malware, including banking Trojans, click-fraud programs, crypto-malware and other botnet threats.
According to data received by security company Symantec from its systems throughout the world, most of the Changeup infections were in the United States, where 11 percent of the compromises ended up recorded. Following at a difference of less than 1 percent is South Africa.
Other countries affected by the malware are Brazil, Mexico, India, Saudi Arabia, Poland, France, and Nigeria.
Symantec said it registered more than 55,000 Changeup detections per month at the beginning of 2014. A year later, the detection dropped to under 30,000.