"Gameover" trojan hides activity in encrypted SSL connections to defraud victims

Share this article:

Saboteurs spreading the Gameover banking trojan are hosting the Zeus variant on a number of infected websites and using an encrypted secure sockets layer (SSL) connection to remain undetected.

Researchers at Dell SecureWorks Counter Threat Unit (CTU) detailed attackers' latest schemes to spread the financial malware in a blog post published last Friday.

According to the team, Gameover operators are delivering downloader malware called "Upatre" to victims via spam, then having the downloader retrieve the Gameover payload from infected websites hosting the malware.

Instead of receiving instructions from an attacker-operated command-and-control server, the Upatre downloader uses an encrypted SSL connection to download malware directly from compromised web servers.

The spam is sent via the infamous Cutwail botnet and is designed to look like official correspondence from banks and government agencies (see image below).

“The [Upatre] downloader has a small file size and is extremely simple, implementing its functionality entirely in a single function,” the blog post said. “It downloads and executes a file from a hard-coded URL over an encrypted secure sockets layer (SSL) connection from a compromised web server and then exits.”

Gameover carries out many of the standard malicious capabilities of Zeus trojans, like logging victims' keystrokes to steal banking credentials, but has also been packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions.

In the blog post, Dell SecureWorks included a list of more than 20 websites that had been compromised to host Gameover.

In a Monday interview with SCMagazine.com, Jason Milletary, the technical director for malware analysis at Dell SecureWorks CTU, said that the process is just another way for the Gameover operators to obscure their fraudulent activities.

“It makes it more difficult to detect and block [malicious] traffic on the network, because it's all occurring on the SSL encryption,” Milletary said.

In addition to educating staff on phishing tactics employed by miscreants, Dell SecureWorks advised that organizations consider blocking executable file types and implement solutions that detect incoming malicious emails.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.