A new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final payload- a BANKER malware related to the DYREZA/DYRE banking malware.
Background
In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.
We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.
Figure 1. Screenshots of spammed messages related to CUTWAIL/PUSHDO
The following URLs are found on the mail sample, which when clicked will download the malware:
- http://andreahanksphotography[.]com/docs/
- http://bachatdeal[.]com/docs/
- http://binuli[.]ge/docs/
- http://brideinthewilderness[.]com/docs/
- http://www.aurorasurgery[.]org/docs/
- http://www.brianhomesinc[.]com/docs/
Based on our data, the top affected countries that accessed the malicious URLs found inside the spam body are the United States, China, Great Britain, and Japan. The top spam sending countries are Vietnam, India, and France.
Figure 2. Top spam sending countries for this CUTWAIL spam run
The UPATRE-DYRE connection
Upon accessing any of the malicious URLs in the spammed messages, an UPATRE variant detected as TROJ_UPATRE.YYJS is automatically downloaded in the system. UPATRE is known for downloading other malware such as ZBOT and ransomware and typically uses spam as its infection vector.
Based on our 1H 2014 spam report, UPATRE is the top malware seen in spam emails. With its continuously developing techniques, UPATRE remains as one of most prevalent malware today. Examples of newer UPATRE techniques are its ability to use password-protected archives as attachments, and abuse of online file storage platform, Dropbox in order to bypass spam filters.
Figure 3. Top malware distributed via spam as of August 2014
However in this attack, this UPATRE variant, TROJ_UPATRE.YYJS downloads the final payload, TSPY_BANKER.COR, which is related to DYREZA/DYRE banking malware. The DYREZA malware is a banking malware with the following capabilities:
- Performs man-in-the-middle attacks via browser injections
- Steals banking credentials and monitors online banking session/transactions
- Steals browser snapshots and other information
Based on our analysis, TSPY_BANKER.COR connects to several websites to receive and send information. Given this series of malware infections, affected systems also run the risk of having their sensitive data stolen (such as banking credentials data) in order to be used for other future attacks.
Apart from the risk of stolen information, this spam attack also highlights the risk of traditional threats (like spam) being used as a vehicle for other advanced malware to infect systems. This may consequently even lead to infiltrating an entire enterprise network.
Best practices and recommendations
We highly recommend that users take extra caution when dealing with emails that contain attachments and URLs in the email body. Ensure that the domains are legitimate and take note of the company name indicated in the email. Another tip is to steer clear of suspicious-looking archive files attached to emails, such as those ending in .ZIP, or .RAR. UPATRE is also known to use email templates through DocuSign with emails that come in the form of bank notifications, court notices, and receipts.
Trend Micro protects users from this threat via detecting the spam samples, malicious URLs, and all the malware related to this attack.
Update as of 07:25 PM, October 16, 2014
FIgure 2 was updated.