"Gameover" trojan hides activity in encrypted SSL connections to defraud victims

Share this article:

Saboteurs spreading the Gameover banking trojan are hosting the Zeus variant on a number of infected websites and using an encrypted secure sockets layer (SSL) connection to remain undetected.

Researchers at Dell SecureWorks Counter Threat Unit (CTU) detailed attackers' latest schemes to spread the financial malware in a blog post published last Friday.

According to the team, Gameover operators are delivering downloader malware called "Upatre" to victims via spam, then having the downloader retrieve the Gameover payload from infected websites hosting the malware.

Instead of receiving instructions from an attacker-operated command-and-control server, the Upatre downloader uses an encrypted SSL connection to download malware directly from compromised web servers.

The spam is sent via the infamous Cutwail botnet and is designed to look like official correspondence from banks and government agencies (see image below).

“The [Upatre] downloader has a small file size and is extremely simple, implementing its functionality entirely in a single function,” the blog post said. “It downloads and executes a file from a hard-coded URL over an encrypted secure sockets layer (SSL) connection from a compromised web server and then exits.”

Gameover carries out many of the standard malicious capabilities of Zeus trojans, like logging victims' keystrokes to steal banking credentials, but has also been packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions.

In the blog post, Dell SecureWorks included a list of more than 20 websites that had been compromised to host Gameover.

In a Monday interview with SCMagazine.com, Jason Milletary, the technical director for malware analysis at Dell SecureWorks CTU, said that the process is just another way for the Gameover operators to obscure their fraudulent activities.

“It makes it more difficult to detect and block [malicious] traffic on the network, because it's all occurring on the SSL encryption,” Milletary said.

In addition to educating staff on phishing tactics employed by miscreants, Dell SecureWorks advised that organizations consider blocking executable file types and implement solutions that detect incoming malicious emails.

This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization. Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions