Threats like UPATRE are continuously evolving as seen in the development of the techniques used so as to bypass security solutions. UPATRE malware are known downloaders of information stealers like ZeuS that typically spread via email attachments. We recently spotted several spam runs that use the popular file hosting service Dropbox. These use embedded links lead to the download of UPATRE malware variants. What is noteworthy in these spam attacks is that it is the first instance we saw TROJ_UPATRE being deployed via URL found in an email message.
In one of the spam samples we saw, it poses as an eFax notification mail with a Dropbox link in the message body. Once unsuspecting users click on the link, it will redirect to a Dropbox URL, leading to the download of a malicious file detected as TROJ_UPATRE.YYMV. When executed, it downloads a ZBOT variant, detected as TSPY_ZBOT.YYMV, which, in turn, drops a rootkit detected as RTKT_NECURS.MJYE. The NECURS variants are known to disable security solutions on infected systems, causing further infection.
Figure 1. Sample of these spam emails
Figure 2. Legitimate copy of email message from eFax
The other spam sample we saw pretended to be an email with a Dropbox link that came from NatWest Bank containing a supposed NatWest Financial Activity Statement, but is actually a TROJ_UPATRE malware. Similarly, it follows the UPATRE- ZBOT- NECURS infection chain. Based on our investigation, this spam run also uses names of legitimate companies, such as Lloyds Bank, eFax, Intuit, ADP, BBB, and Skype, among others. We also came across spammed messages with embedded Dropbox links but redirects to Canadian pharmacy websites.
We have been monitoring this spam campaign since it started last May 23 and began to increase a week later. Dropbox was already informed of this incident as of posting. We have also notified and submitted the current list of affected accounts that seem to be hosting malware in Dropbox.
Last April, we reported tax-themed spammed messages that also follow the same infection combination of UPATRE, ZBOT, and NECURS. Based on our data, UPATRE remains as the top malware distributed via spam from January to May 2014.
Figure 2. Top 5 distributed malware via spam mail, Jan-May 2014
Cybercriminals often go with what’s hot and popular for their social engineering lures. In this case, the bad guys abused legitimate Dropbox links in order to trick users into downloading various malware, which can lead to system infection and information theft.
Trend Micro protects users from this threat by detecting all spam-related samples and malicious files.
Special mention to Maydalene Salvador for finding this new spam samples, and to Mark Manahan for analyzing this malware
Update as of 12:15 AM, June 13, 2014
A few days after we discovered the UPATRE malware that abuse Dropbox links, we found another spam mail that downloads a malicious file from Dropbox.
Figure 3. Sample of the spam mail leading to a CryptoLocker’s variant, Cryptowall
Here, the spam mail is disguised as a voice mail and the final payload is a CryptoLocker‘s variant, Cryptowall, detected as TROJ_CRYPWALL.D. TROJ_CRYPWALL.D directly opens a Tor website that asks for payment; previous CryptoLocker has its own GUI for payment. Trend Micro protects users from this threat by detecting all spam-related samples and malicious files.
With analysis from Maydalene Salvador and Rhena Inocencio