The Gameover ZeuS trojan, also known as Peer-to-Peer (P2P) ZeuS, is one of the largest and most sophisticated botnets involved in online banking fraud. The botnet operators are very well connected in the underground community, and they rely upon a variety of tools and services provided by other cybercriminals to run their operation. In particular, the group regularly uses the Cutwail spam botnet to lure new victims and the Pony Loader malware to steal credentials and download additional malware, including Gameover ZeuS. In August 2013, the Dell SecureWorks Counter Threat Unit™ (CTU) research team discovered that in addition to the Pony Loader, the group is using a new downloader known as Upatre to distribute its malware. The downloader has a small file size and is extremely simple, implementing its functionality entirely in a single function. It downloads and executes a file from a hard-coded URL over an encrypted Secure Sockets Layer (SSL) connection from a compromised web server and then exits. Figure 1 diagrams the malware distribution process.
Figure 1. Gameover ZeuS malware distribution process with the Upatre downloader. (Source: Dell SecureWorks)
The Gameover ZeuS botnet operators distribute both Pony Loader and the Upatre downloader through spam emails sent by the Cutwail botnet. Many lures have used social engineering techniques by impersonating financial institutions and government agencies to trick a victim into executing the malware. The spam emails have an embedded malware executable in a ZIP attachment, so user interaction is required to infect the system. Figure 2 shows an example spam email containing the Upatre downloader as an attachment.
Figure 2. Example spam email lure containing the Upatre downloader as an attachment. (Source: Dell SecureWorks)
Upatre downloads and executes a designated payload using the following process:
The following parameters are configured at compile time:
The malware is currently hard-coded to use port 443, which instructs the WinINet libraries use to SSL for communication. Upatre also uses a distinctive User-Agent “Updates downloader”, although this string is not visible over an encrypted SSL channel.
Command and Control Traffic
The Upatre malware is configured to download and execute a file hosted on a compromised site over HTTPS. Figure 3 shows an example request with the SSL encryption removed.
Figure 3. Upatre download request shown with the SSL encryption removed. (Source: Dell SecureWorks)
It is technically feasible to write network signatures for the SSL certificates on the compromised malware payload sites, but the signatures may produce false positives because these sites are legitimate. The malware authors likely used SSL to hinder network-based signature detection systems.
The Upatre samples analyzed by CTU researchers have the following MD5 hashes:
The Upatre downloader has used the following URLs:
The operators of Gameover ZeuS regularly update their tactics, techniques, and procedures (TTP). Their latest move appears to complicate signature-based network detection for their malware downloaders by using compromised websites and SSL. The prolonged use of the Cutwail spam botnet for attracting new victims indicates that these campaigns continue to be effective. The CTU research team advises organizations to remain vigilant and to deploy a defense-in-depth strategy that includes the following components: