14 DAY TRIAL // Security researchers from Dell’s SecureWorks Counter Threat Unit have been monitoring the activities of a cybercriminal group that relies on the peer-to-peer (P2P) version of the ZeuS Trojan, also known as Gameover.
Experts found that in addition to the Pony Loader, the group has also been using the Upatre downloader to distribute the malware.
“The downloader has a small file size and is extremely simple, implementing its functionality entirely in a single function. It downloads and executes a file from a hard-coded URL over an encrypted Secure Sockets Layer (SSL) connection from a compromised web server and then exits,” Dell researchers noted in a blog post.
The operators of the Gameover botnet are using spam emails sent by the Cutwail botnet to distribute both the Upatre and the Pony Loader downloaders.
In many cases, the malicious emails purport to come from financial institutions and government agencies. The bogus notifications are designed to trick recipients into opening an attached file that hides the malware downloaders.
Once it’s executed, Upatre copies itself into a temporary folder, executes the temporary copy and terminates the current process. The original executable file is deleted, after which the threat connects to a hard-coded URL from which it downloads the payload.
The malware is downloaded to a temporary directory and executed. Once this process is completed, the downloader exits.
It’s worth noting that Upatre uses SSL encryption, most likely in an effort to prevent network-based signature detection solutions from detecting it.
“The operators of Gameover ZeuS regularly update their tactics, techniques, and procedures (TTP). Their latest move appears to complicate signature-based network detection for their malware downloaders by using compromised websites and SSL,” experts from Dell’s SecureWorks Counter Threat Unit noted.
“The prolonged use of the Cutwail spam botnet for attracting new victims indicates that these campaigns continue to be effective.”