The Gameover variant of the nefarious Zeus banking trojan has recently been observed sneaking past defenses as an encrypted EXE file, according to researchers with Malcovery, a provider of security intelligence and forensic analysis through services and software.
According to a Sunday post by Gary Warner, CTO of Malcovery, this latest tweak to the Gameover delivery method involves encrypting the EXE file so it does not appear as an executable file, thus allowing it to slip undetected through firewalls, webfilters, network intrusion detections systems and other perimeter security.
“In the new delivery model, the .zip file attached to the email has a NEW version of UPATRE that first downloads the .enc file from the Internet and then DECRYPTS the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future,” Warner said in the post.
In October 2013, researchers with Dell SecureWorks Counter Threat Unit (CTU) identified a malware downloader called “Upatre” being delivered via spam, which at the time was observed using an encrypted SSL connection to download the Gameover malware directly from compromised web servers.
The spam element still plays a role in this latest campaign.
“The malware delivery mechanism through spam email remains the same,” Brett Stone-Gross, a senior security researcher with Dell SecureWorks CTU, said in an email to SCMagazine.com. Warner posted images of emails containing Upatre that fool recipients by purporting to come from well-known groups, including Staples and the IRS.
However, security professionals have caught on to the encrypted SSL connection delivery method.
“The encrypted connections over SSL can be detected by intercepting the network traffic (through a technique known as a man-in-the-middle attack) to decrypt the communications on-the-fly, and by identifying anomalies in the SSL certificate generation process that is used to encrypt the traffic,” Stone-Gross said.
Gameover has many similar properties to Zeus, such as logging keystrokes to steal banking credentials, but also has been packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions.