Upatre is a Trojan Downloader family that once installed, is responsible for stealing information and downloading additional malware onto the victim machine. It typically arrives via spammed e-mail messages from the Cutwail Botnet, either as an attachment or via a URL pointing to a remote hosting site. We are also seeing Exploit Kits being used as a vector for Upatre infections in the wild.
|Upatre Downloader cybercrime network|
Upon successful infection, Upatre has been responsible for downloading malicious payloads from known malware families such as:
The Upatre malware family was first discovered in August 2013 and exponentially increased its infection rates by October, 2013. With the demise of the popular Blackhole Exploit Kit in October 2013, many malware authors resorted to traditional spam with the Upatre Trojan downloader as a medium for delivery of the ultimate payload, which also contributed to the increase in infections.
The Upatre malware authors have deployed multiple new techniques over the past year, which is the reason why it is one of the most prevalent malware families today. Some of the features that we have tracked include:
We have seen an increase in the number of Upatre Downloader infections occurring through spammed messages containing fake invoices or voice-mail messages in the past month. The final payload being downloaded from these recent Upatre infections tends to be the Dyreza Banking Trojan. Below is a sample e-mail message from this campaign:
|Cutwail spam e-mail leading to Upatre|
If the user clicks on the link in the e-mail, they will be redirected to the same site with additional information identifying the operating system in the URI before serving the payload as seen here:
GET /documents/invoice_101114_pdf.php?h=[3 digit integer]&w=[4 digit integer]&ua=[User-Agent String]&e=1 HTTP/1.1
The user will then be prompted to download a zipped archive file, which contains a new variant of the Upatre Trojan downloader as seen below:
|Upatre download in an archive|
The user is redirected to a legitimate site (i.e "www.hsbc.com"), if the operating system is not supported or is redirected at the end of the download cycle.
|Upatre network communication|
|Dyreza banking Trojan encrypted and decrypted payload|
|Part of Upatre decryption routine for downloaded payload|
|unpacked Upatre binary|
|Upatre indicators of compromise|