“Gameover” trojan hides activity in encrypted SSL connections to defraud victims

Saboteurs spreading the Gameover banking trojan are hosting the Zeus variant on a number of infected websites and using an encrypted secure sockets layer (SSL) connection to remain undetected.

Researchers at Dell SecureWorks Counter Threat Unit (CTU) detailed attackers' latest schemes to spread the financial malware in a blog post published last Friday.

According to the team, Gameover operators are delivering downloader malware called "Upatre" to victims via spam, then having the downloader retrieve the Gameover payload from infected websites hosting the malware.

Instead of receiving instructions from an attacker-operated command-and-control server, the Upatre downloader uses an encrypted SSL connection to download malware directly from compromised web servers.

The spam is sent via the infamous Cutwail botnet and is designed to look like official correspondence from banks and government agencies (see image below).

“The [Upatre] downloader has a small file size and is extremely simple, implementing its functionality entirely in a single function,” the blog post said. “It downloads and executes a file from a hard-coded URL over an encrypted secure sockets layer (SSL) connection from a compromised web server and then exits.”

Gameover carries out many of the standard malicious capabilities of Zeus trojans, like logging victims' keystrokes to steal banking credentials, but has also been packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions.

In the blog post, Dell SecureWorks included a list of more than 20 websites that had been compromised to host Gameover.

In a Monday interview with, Jason Milletary, the technical director for malware analysis at Dell SecureWorks CTU, said that the process is just another way for the Gameover operators to obscure their fraudulent activities.

“It makes it more difficult to detect and block [malicious] traffic on the network, because it's all occurring on the SSL encryption,” Milletary said.

In addition to educating staff on phishing tactics employed by miscreants, Dell SecureWorks advised that organizations consider blocking executable file types and implement solutions that detect incoming malicious emails.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.