June 03, 2014
The malicious mails used social engineering techniques by impersonating financial institutions and government agencies, with a ".zip" file attached, the compressed archive contains an application titled UPATRE. The application UPATRE is used to download the encrypted file (to evade from perimeter defenses) from compromised websites and decrypt it to extract and execute the GameOver.
Gameover uses domain generation algorithm (DGA) if it fails to communicate with the P2P network to refresh its peer list. Stolen data and instructions are relayed through a peer using RC4 encryption with an HTTP proxy server included with the malware.
The Gameover malware majorly performs the following functions:
- Steals banking, BitCoin exchange credentials, with a diverse set of features to capture information from a victim through keystroke logging, form grabbing, and credential scraping , HTML injection, etc
- Implements decentralized P2P infrastructure for C2 communication (supports both IPv4 and IPv6)
- Defends itself by installing kernel mode Rootkit.
- Launch distributed denial-of-service (DDoS) attacks (with Dirt Jumper DDOS kit)
Recommendations and countermeasures
- Keep antivirus, operating system, and browser software up to date.
- Do not follow unsolicited web links or attachments in emails messages.
- Filter email / scan email file attachment contents and consider blocking executable file types
- Deploy advanced malware protection devices in-line with incoming email streams containing malicious file attachments as well as subsequent file downloads.
- Implement end-point controls on users¿ computers to help limit opening of malicious file attachments and to catch malware installation / execution.
- Apply post-infection controls such as firewall policies, web proxies, file downloads over HTTPS, and associated log monitoring to identify anomalies.
- Protect yourself against social engineering attacks.
- Exercise caution while visiting websites.
- Enable firewall at Desktop and gateway level.
A non-exhaustive list of anti-malware tools to detect and remove the threat
scanner (Windows Vista, 7 and 8)
tools/-/carousel/view/142 (Windows XP)
http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and 8.1)
us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)
http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above)
(Windows XP, Windows Vista and Windows 7)
- Trend Micro
http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista,
Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)