Keeping Up with the Damage of UPATRE

Written by: Leo Marvin Balante

We have noticed the resurgence of the UPATRE malware family. This is attributed to the new arrival vectors attackers used to infect systems across the globe: social engineering lures, malicious downloads in embedded links in spammed emails, malicious redirections, and malvertisements.

In an annual report released by Trend Micro with the spam landscape as one of its key points, UPATRE stood out as the most prevalent malware present in spammed messages throughout 2014. While the number of spam campaigns linked to UPATRE went down in June because of the Gameover takedown, the figure showed gradual increase pointed toward the use of the Cutwail botnet. According to data collected by the Smart Protection Network™, this rise was evident during the last quarter of 2014, wherein UPATRE made up almost 40% of the malware-carrying spam.

In just a 30-day span, from January 17 to February 16, 2015, detections of UPATRE reached over 13,000, affecting countries in different regions, including the United States (50%), Australia (18%), Canada (6%), New Zealand (4%), and Japan (3%).

Figure 1. UPATRE detections from January 17 to February 16, 2015

How does UPATRE arrive into users’ systems?

Figure 2. New arrival vectors used by UPATRE

First spotted in 2013, UPATRE was seen after the fall of the Blackhole Exploit Kit. Its variants usually come as malicious files that appear as legitimate attachments in email messages. They can be in the form of PDF and screensaver files spammed by a malicious user or other malware/grayware, as seen in the CUTWAIL spam attack in October 2014. It usually arrives on a system as a file dropped by other malware or as a file unwittingly downloaded by users upon visiting infected sites.

However, recent observations on this malware family showed new arrival vectors exploited to infect users’ systems: social engineering lures, malicious files downloaded in spammed messages embedded with links, and redirections via a malvertisement.

What happens to users’ systems?

Figure 3. UPATRE capabilities upon installation

Upon installation, UPATRE drops copies of itself into the system and executes them. It then connects the infected system to possibly malicious URLs to download and execute malicious files, such as additional malware, most known of which are ZBOT, CRILOCK, DYRE, and ROVNIX. These malware severely compromise the security of systems they infect. It then deletes the initially executed file.

ZBOT is known for its use of peer-to-peer connections to its command-and-control (C&C) servers. CRILOCK, known for its file-encrypting capabilities, renders systems useless unless a ransom is paid. DYRE is a banking Trojan capable of monitoring sessions and stealing credentials involving online transactions to various banks. Lastly, ROVNIX is known to pose dangers to users and enterprises because of its capability to steal passwords and record keystrokes.

What’s so interesting about UPATRE?

With new arrival vectors and continuously evolving techniques to trick users into executing the malware, users are put at a greater risk. Cybercriminals still rely on spammed messages as an arsenal to infect systems. Spreading this threat through social engineering lures and malvertising tactics make it easier to turn unmindful online users into victims.

Note also how it has significantly evolved. UPATRE was first detected as an archived file attached in spammed messages that has progressed into a password-protected archived file, disguising as a legitimate attachment. A particular variant of the malware family, TROJ_UPATRE.SMNF, connects the affected system to a possibly malicious URL to send and receive information. Newer variants of UPATRE are seen as a more serious threat: they act as a downloader of critical malware capable of stealing information.

One variant, in particular, TROJ_UPATRE.YYJS, downloads the final payload TSPY_BANKER.COR. BANKER is attributed to the notorious banking malware DYRE, known to perform man-in-the-middle attacks using Web browser infections, monitor online banking transactions, and steal browser snapshots and banking credentials.

Are Trend Micro users protected from this threat?

Yes. Trend Micro products are powered by the Smart Protection Network that detect and block multiple components of this threat through file reputation, Web reputation, and email reputation technologies. Users of Trend Micro Security for home users, Worry-Free™ Business Security for small businesses, and Smart Protection Suites for enterprises, are protected from this threat.

What can users do to prevent these threats from affecting their computers?

Even with the recent increase in system infections seen across the globe, users can protect themselves by adhering to the following best practices:

Be vigilant with the emails you receive. It is important to take extra caution when dealing with emails that contain links and attachments in its email body. Delete anything that looks suspicious.
Be mindful of how you engage and maximize social media. Think before you click.
Install an antimalware solution that covers all bases of online security, including a layer of protection against spam and other social engineering tactics. Through this, you eradicate the chances of accidentally opening malicious emails that you receive.