The malware UPATRE was gained much prominence following the demise of the Blackhole Exploit kit. It was since known as one of the top malware seen attached to spammed messages and continues to be so all throughout 2014 with particularly high numbers seen in the fourth quarter of the year. We have released our annual roundup where we talked about the different trends related to spam, and this entry offers a closer look.
Looking back at 2014: Notable Spam Trends
Based on our backend honeypot data for 2014, UPATRE stood out as the most prevalent threat that arrives via spammed messages. UPATRE is commonly distributed by the Cutwail botnet, which has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.
2014 also saw a significant rise in spammed emails with attached Microsoft Word documents that come with malicious macro codes that eventually lead to downloading various information stealing malware like VAWTRAK, DRIDEX, and ROVNIX malware. One example is the DRIDEX chain of infections seen in Q4 of 2014, in which we observed an uptick in spammed emails that lead to malicious .DOC and .XLS files that carry the malware.
Yearly Spam Volume
Figure 1. Year on year growth trend of spam
Source: Honeypot data
Results from our honeypot data show around 1.9 billion spammed emails in 2014. The numbers slightly rose from the one that of 2013 (1.6 billion). While this is no way represents the entire spam landscape it does give us an idea of the overall trends when it comes to spam. It also matches the trends from Trend Micro messaging products in our annual roundup. Note that the spam spike in 2011 can be attributed to a rise in .ZIP file attachments in spammed emails that led to the malware BREDOLAB.
Spammed Messages Carrying UPATRE
While there are bulk mail like those that sell pharmaceutical drugs or advertise replica watches, a certain percentage of spam carry malware. We will refer to these as “mal-spam” in the rest of this entry.
Similar to our 1H blog post on spam trends, UPATRE takes the lead as the top malware distributed via spam, followed by TSPY_ZBOT and BKDR_KULUOZ. In our 1H 2014 post, we wrote that the number of spam campaigns related to UPATRE went down in June due to the Gameover takedown that same month. Come July we observed a gradual increase, which can be attributed to the use of the Cutwail botnet.
Our honeypot data shows that UPATRE made up almost 30% of all mal-spam seen in 2014.
Figure 2. Top 10 malware from spam mails seen in 2014
Source: Honeypot data
Figure 3. TROJ_UPATRE vs. total mal-spam seen in 2014
Source: Honeypot data
The overall mal-spam decline toward the end of the year (Figure 3) can be attributed to the continuous decline of UPATRE spam samples seen in Q4. UPATRE spreading via attachments drastically declined in Q4. ecline in Q4, it still remains the most distributed malware via spam in 2014. Here’s a rundown of the blog entries we wrote about in 2014 that talk about UPATRE attached to spam.
- UPATRE Ups the Ante With Attachment Inside An Attachment
- CUTWAIL Spambot Leads to UPATRE-DYRE Infection
- ZBOT-UPATRE Far From Game Over, Uses Random Headers
- Social Engineering Watch: UPATRE Malware Abuses Dropbox Links
- The Timely Tale of Tax-related Threat Troubles
Top Social Engineering Lures of 2014
Social engineering plays a vital role in carrying out spam attacks. We found that the holidays and any type of breaking news are still effective ways to carry out social engineering attacks in spam. Here are some notable social engineering lures we wrote about in 2014, whose topics range from celebrity deaths to popular sporting events.
- Paul Walker Spam Arrives with Malware
- Sochi Olympics Spam Advertises Watches
- Valentines’ Day Span Arrives Just in Time for February
- Missing Malaysia Airlines Flight 370 Scam Arrives Via Email
- Fake World Cup Online Banking Spam Leads To Phishing Page
- Large Spike In Commercial Spam Using Microsize Salad Words Discovered
- Ebola Health Scare Spam Mail Leads To Phishing
Mixing Old and New Spam Techniques in 2014
Spammers have and continuously will blend old techniques with new ones in order to avoid detection to successfully victimize users. Some new techniques we’ve noted in 2014 include spam attached to spam, which is similar to backscatter email.
The blending of spam techniques is seen mostly in commercial spam. For instance, newborn domain spam often use the salad words technique mixed with invisible ink, character padding and newly registered domains.
With the prevalence of UPATRE and malicious macro downloaders on the rise, we can predict that spammed emails that carry these type of malware may soon bear more complex techniques. The social engineering aspect in spam, for one, is starting to veer away from social networking spam (Facebook and Twitter notifications) and instead uses templates known couriers and banks.
More in-depth information about the spam that dominated the threat landscape in 2014 can be found in our upcoming report, TrendLabs 2014 Annual Security Roundup – Magnified Losses Amplified Need for Cyber-attack Preparedness.