Upatre Downloader Distributed via Banking-Themed Spam Campaign

Spam emails used to distribute Upatre

Cybercriminals are distributing the notorious downloader known as Upatre with the aid of spam emails that purport to come from major financial institutions such as Lloyds TSB and Wells Fargo.

According to Trend Micro, the fake emails inform recipients that they’ve received a new secure message. Potential victims are instructed to open the .msg file in the attachment to see the message.

The .msg file contains another .msg file which hides Upatre (TROJ_UPATRE.YYKE). The method is likely used to ensure that the malware is not immediately detected by security solutions.

Once it infects a device, the malware starts downloading other threats.

The sample analyzed by Trend Micro downloads a variant of ZeuS (TSPY_ZBOT.YYKE), which in turn downloads a version of Necurs (RTKT_NECURS.RBC). Necurs is designed to disable security features on compromised computers to make them vulnerable to other infections.

Upatre is also used by cybercriminals to distribute pieces of ransomware like the notorious CryptoLocker.

After the fall of the BlackHole exploit kit, cybercriminals started distributing Upatre as an attachment. Later, they hid the malware inside password-protected attachments. Now, they’ve once again changed their tactics.

“UPATRE’s evolution is proof that threats will find new ways and techniques to get past security solutions,” noted Marilyn Melliang, senior threat research engineer with Trend Micro.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s