Skip to content ↓ | Skip to navigation ↓

The authors behind the GameOver Zeus malware have shifted tactics to include using encryption to evade detection according to malware researchers who say the new method of obfuscation made the malicious code undetectable by the 50 antivirus products used by VirusTotal.

“The criminals behind the malware delivery system for GameOver Zeus have a new trick,” wrote Malcovery’s Gary Warner. “Encrypting their EXE file so that as it passes through your firewall, webfilters, network intrusion detection systems and any other defenses you may have in place. It is doing so as a non-executable ‘.ENC’ file.”

Warner goes on to explain that the encrypted file technically malware because it doesn’t ever actually execute.

“All Windows EXE files start with the bytes ‘MZ’. These files start with ‘ZZP’. They aren’t executable, so how could they be malware? Except they are,” Warner said. “In the new delivery model, the .zip file attached to the email has a NEW version of UPATRE that first downloads the .enc file from the Internet and then DECRYPTS the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future.”

The researchers have sent copies of all the malware they have detected using the tactic to several security researchers and law enforcement, as well as uploading all of the files to VirusTotal.

The malware is being spread by way of spam emails with a tainted .zip file attachment with a small .exe file that is designed to “download larger more sophisticated malware that would never pass through spam filters without causing alarm, but because of the way our perimeter security works, are often allowed to be downloaded by a logged in user from their workstation,” according to Warner.

“If you are in charge of network security for your Enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently,” Warner advised.

Read More Here…