Gameover banking trojan are relaying information via encrypted secure socket layer connections to remain undiscovered and have infected at least 250,000 infected machines.
Investigators at Dell SecureWorks Counter Threat Unit (CTU) elaborated on the attacker’s most recent schemes to spread the financial stealing malware in a post published on their blog last Friday.
Gameover operators are utilizing a malware downloader called “Upatre” to victims via spam mail, then having the downloader call back for the Gameover payload from infected websites hosting the malware.
Rather than receiving instructions from an command-and-control (C&C) server, the “Upatre” downloader applies an encrypted SSL connection to download malware directly from compromised web servers.
The spam is sent via the infamous Cutwail botnet and is designed to look like official emails from banks and government agencies.
“The [Upatre] downloader has a small file size and is extremely simple, implementing its functionality entirely in a single function,” the blog post said. “It downloads and executes a file from a hard-coded URL over an encrypted secure sockets layer (SSL) connection from a compromised web server and then exits.”
Gameover follows through many of the malicious capabilities of the Zeus banking trojans, from logging victims keystrokes to stealing banking credentials, but has also been packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions.