Cybercriminals are distributing the notorious downloader known as Upatre with the aid of spam emails that purport to come from major financial institutions such as Lloyds TSB and Wells Fargo.
According to Trend Micro, the fake emails inform recipients that they’ve received a new secure message. Potential victims are instructed to open the .msg file in the attachment to see the message.
Once it infects a device, the malware starts downloading other threats.
The sample analyzed by downloads a variant of ZeuS (TSPY_ZBOT.YYKE), which in turn downloads a version of Necurs (RTKT_NECURS.RBC). Necurs is designed to disable security features on compromised computers to make them vulnerable to other infections.
After the fall of the BlackHole exploit kit, cybercriminals started distributing Upatre as an attachment. Later, they hid the malware inside password-protected attachments. Now, they’ve once again changed their tactics.
“UPATRE’s evolution is proof that threats will find new ways and techniques to get past security solutions,” noted Marilyn Melliang, senior threat research engineer with Trend Micro.