• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   CUTWAIL Spambot Leads to UPATRE-DYRE Infection

CUTWAIL Spambot Leads to UPATRE-DYRE Infection

  • Posted on:October 16, 2014 at 2:24 pm
  • Posted in:Malware, Spam
  • Author:
    Michael Casayuran (Anti-spam Research Engineer)
0

A new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final  payload- a BANKER malware related to the DYREZA/DYRE banking malware.

Background

In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.

We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.

Figure 1. Screenshots of spammed messages related to CUTWAIL/PUSHDO

The following URLs are  found on the mail sample, which when clicked will download the malware:

  • http://andreahanksphotography[.]com/docs/
  • http://bachatdeal[.]com/docs/
  • http://binuli[.]ge/docs/
  • http://brideinthewilderness[.]com/docs/
  • http://www.aurorasurgery[.]org/docs/
  • http://www.brianhomesinc[.]com/docs/

Based on our data, the top affected countries that accessed the malicious URLs found inside the spam body are the United States, China, Great Britain, and Japan. The top spam sending countries are Vietnam, India, and France.

sourceIP_cutwailblog

 Figure 2. Top spam sending countries for this CUTWAIL spam run

The UPATRE-DYRE connection

Upon accessing any of the malicious URLs in the spammed messages, an UPATRE variant detected as TROJ_UPATRE.YYJS is automatically downloaded in the system. UPATRE is known for downloading other malware such as ZBOT and ransomware and typically uses spam as its infection vector.

Based on our 1H 2014 spam report, UPATRE is the top malware seen in spam emails. With its continuously developing techniques, UPATRE remains as one of most prevalent malware today. Examples of newer UPATRE techniques are its ability to use password-protected archives as attachments, and abuse of online file storage platform, Dropbox in order to bypass spam filters.

Figure 3. Top malware distributed via spam as of August 2014

However in this attack, this UPATRE variant, TROJ_UPATRE.YYJS downloads the final payload, TSPY_BANKER.COR, which is related to DYREZA/DYRE banking malware. The DYREZA malware is a banking malware with the following capabilities:

  • Performs man-in-the-middle attacks via browser injections
  • Steals banking credentials and monitors online banking session/transactions
  • Steals browser snapshots and other information

Based on our analysis, TSPY_BANKER.COR connects to several websites to receive and send information. Given this series of malware infections, affected systems also run the risk of having their sensitive data stolen (such as banking credentials data) in order to be used for other future attacks.

Apart from the risk of stolen information, this spam attack also highlights the risk of traditional threats (like spam) being used as a vehicle for other advanced malware to infect systems. This may consequently even lead to infiltrating an entire enterprise network.

Best practices and recommendations

We highly recommend that users take extra caution when dealing with emails that contain attachments and URLs in the email body. Ensure that the domains are legitimate and take note of the company name indicated in the email. Another tip is to steer clear of suspicious-looking archive files attached to emails, such as those ending in .ZIP, or .RAR. UPATRE is also known to use email templates through DocuSign with emails that come in the form of bank notifications, court notices, and receipts.

Trend Micro protects users from this threat via detecting the spam samples, malicious URLs, and all the malware related to this attack.

Update as of 07:25 PM, October 16, 2014

FIgure 2 was updated.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: BANKERbanking malwarebanking TrojanUPATRE

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.