Gameover Malware, variant of ZeuS Trojan uses Encryption to Bypass Detection
The year begins with the number of new variants of malware that were discovered by various security researchers. The new variants are more complex, sophisticated and mostly undetectable.

Two years back in 2012, the FBI warned us about the ‘GameOver’ banking Trojan, a variant of Zeus financial malware that spreads via phishing emails. GameOver makes fraudulent transactions from your bank once installed in your system with the capability to conduct Distributed Denial of Service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site.

But that wasn't the end; a new variant of the same family of banking Trojan has been discovered by researchers that are being delivered by cyber criminals to users’ machines, making it easier for the banking malware to evade detection and steal victim’s banking credentials.

Malcovery's Gary Warner explains the behavior of the new variant of GameOver Zeus malware that uses Encryption to bypass perimeter security, in a blog post.

Gary Warner warned that, to get this job done the malware has been working along with other malware called 'UPATRE' via Social Engineering techniques.

New version of GameOver malware has encrypted its ‘.EXE’ file to a non-executable format i.e. ‘.ENC’ file, so that the malware which spreads via spam e-mails and malicious attachments can avoid being spotted by firewalls, IDS, Web filters and other security defenses.

To Spread it at large scale, spam campaign using ‘Cutwail’ botnet, which is designed to look like an official correspondence from banks or some government agencies that trick user to open the attached .zip file.

Gary Warner explains that, “These .zip files contain a small .exe file whose primary job is to go out to the Internet and download larger, more sophisticated malware that would never pass through spam filters without causing alarm, but because of the way our perimeter security works, are often allowed to be downloaded by a logged in user from their workstation.

Boldizsár Bencsáth, from the CrySys Lab in Hungary, has explained the encryption method in his blog post on Sunday, "The droppers sent out through emails are pretty small, around 10-18 KB. These droppers have an obfuscation layer, so hard to directly analyze them."

In the new model, the .zip file attached to the email has a new version of UPATRE malware that first downloads the .ENC file from the Internet, then Decrypt it and relocate it with a new file name, then causing it both to execute and to be scheduled to execute in the future, Warner writes.

Keep your anti virus up to date.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.