Hackers use encryption to server a GameOver Zeus banking malware

Security experts at Malcovery firm have detected a new Zeus variant bypassing the security traditional defenses with the usage of encryption.

Zeus malware is hard to die, the availability of its source code in the wild caused periodically the born of a new variant, even more resistant  and sophisticated. Over the years, we saw variants designed to exploit social networks, to exploit P2P communication protocol, the Tor network to hide C&C and code ready for 64bit architecture. Experts at Malcovery Security company have discovered a new technique adopted by attackers to delivery Zeus malicious code, avoiding security defenses, the last version in fact was able to be undetected by none of 50 security programs on Google’s online virus scanning service VirusTotal.

Gary Warner, Malcovery’s chief technologist, published a blog post to describe how Zeus variant uses encryption to bypass perimeter security.

“Encrypting their EXE file so that as it passes through your firewall, webfilters, network intrusion detection systems and any other defenses you may have in place, it is doing so as a non-executable “.ENC” file. If you are in charge of network security for your Enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently.” Said Warner.

The attackers used to spread the malicious agent with spam campaign, which spoofed brands and organizations, including the payment processor ADP and the British tax authority HMRC. The malicious mails have a “.zip” file attached, the compressed archive contains an application titled UPATRE. The application UPATRE is used to download the encrypted file from the Internet and decrypt it to extract and execute the GameOver Zeus .exe file.

“In the new delivery model, the .zip file attached to the email has a NEW version of UPATRE that first downloads the .enc file from the Internet and then DECRYPTS the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future.” reports the blog post.

The experts at Malcovery noted that all  the spam campaigns observed have a common origin, they are all being distributed by the criminals behind the Cutwail malware delivery infrastructure. It is likely that we are facing with a malware-as-a-service model of sale, so different criminal gangs are renting to infrastructure to conduct their malicious campaign.

“It is likely that many different criminals are paying to use this infrastructure,” Warner wrote.

As suggested by experts at Malcovery, it is necessary to analyze also .enc file to avoid problem because they can be used to hide malicious code. Network administrators have to carefully check their logs to see if any “.enc” files have been downloaded on their networks. Malcovery firm has already detected nearly 32,000 emails exploiting the attack scheme described.