"Gameover" trojan hides activity in encrypted SSL connections to defraud victims

Share this article:

Saboteurs spreading the Gameover banking trojan are hosting the Zeus variant on a number of infected websites and using an encrypted secure sockets layer (SSL) connection to remain undetected.

Researchers at Dell SecureWorks Counter Threat Unit (CTU) detailed attackers' latest schemes to spread the financial malware in a blog post published last Friday.

According to the team, Gameover operators are delivering downloader malware called "Upatre" to victims via spam, then having the downloader retrieve the Gameover payload from infected websites hosting the malware.

Instead of receiving instructions from an attacker-operated command-and-control server, the Upatre downloader uses an encrypted SSL connection to download malware directly from compromised web servers.

The spam is sent via the infamous Cutwail botnet and is designed to look like official correspondence from banks and government agencies (see image below).

“The [Upatre] downloader has a small file size and is extremely simple, implementing its functionality entirely in a single function,” the blog post said. “It downloads and executes a file from a hard-coded URL over an encrypted secure sockets layer (SSL) connection from a compromised web server and then exits.”

Gameover carries out many of the standard malicious capabilities of Zeus trojans, like logging victims' keystrokes to steal banking credentials, but has also been packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions.

In the blog post, Dell SecureWorks included a list of more than 20 websites that had been compromised to host Gameover.

In a Monday interview with SCMagazine.com, Jason Milletary, the technical director for malware analysis at Dell SecureWorks CTU, said that the process is just another way for the Gameover operators to obscure their fraudulent activities.

“It makes it more difficult to detect and block [malicious] traffic on the network, because it's all occurring on the SSL encryption,” Milletary said.

In addition to educating staff on phishing tactics employed by miscreants, Dell SecureWorks advised that organizations consider blocking executable file types and implement solutions that detect incoming malicious emails.

Share this article:

Sign up to our newsletters

More in News

Latest Citadel trick allows RDP access after malware's removal

Latest Citadel trick allows RDP access after malware's ...

Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Cryptoblocker variant emerges, encryption differs from CryptoLocker

Trend Micro has detected a variant of CryptoLocker in the wild that relies on the advanced encryption standard.

Jimmy John's sandwich chain investigating possible breach

Some financial institutions have indicated that credit cards recently used at Jimmy John's locations have been used to make fraudulent purchases.