• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   UPATRE Ups the Ante With Attachment Inside An Attachment

UPATRE Ups the Ante With Attachment Inside An Attachment

  • Posted on:April 4, 2014 at 1:21 am
  • Posted in:Malware, Spam
  • Author:
    Marilyn Melliang (Senior Threat Research Engineer)
1

In 2013, the malware UPATRE was noted as one of the top malware seen attached to spammed messages. The malware was also notorious for downloading other malware, including ZeuS and ransomware, particularly its more sophisticated form, Cryptolocker. This was enough reason to believe that the UPATRE threat is constantly advancing its techniques–this time, by using multiple levels of attachments.

Spam within spam

We took note of the new UPATRE malware technique when our research brought us to a spammed message that imitates emails from known banks such as Lloyds Bank and Wells Fargo. The “spam within spam” technique was already notable in itself, as the .MSG file contained another .MSG file attached–only this time, the attached file actually contains the UPATRE variant, which we detect as TROJ_UPATRE.YYKE.


Figure 1. An email from “Lloyds Bank” contains a .MSG attachment


Figure 2. Opening the .MSG attachment reveals a malicious .ZIP file

Based on our analysis, TROJ_UPATRE.YYKE downloads its ZBOT tandem, detected as TSPY_ZBOT.YYKE. This ZBOT variant then drops a NECURS variant detected as RTKT_NECURS.RBC.

The NECURS malware is notable for its final payload of disabling computers’ security features, putting computers at serious risk for further infections. It gained notoriety in 2012 for its kernel-level rootkit and backdoor capabilities. It is important to note that we are now seeing an increase of this malware, which can be attributed to UPATRE/ZBOT being distributed as attachments to spammed messages.

Evolution of UPATRE

UPATRE was first seen arriving as an archived file attachment of spammed messages in October of last year, after the fall of the Blackhole Exploit Kit. Once opened, it triggers an infection chain involving ZBOT and CRILOCK malware.

A month after that, cybercriminals soon upped the ante by using password-protected archives as email attachments. The email includes the password as well as instructions on how to use the contents of the attachment. The use of passwords is highly notable as it adds a sense of legitimacy and importance to the message.

UPATRE’s evolution is proof that threats will find new ways and techniques to get past security solutions. Users should always be on their guard when dealing with unknown or unfamiliar emails, sites, or files. These could very well lead to threats. Practicing safety habits like using a security solution or double-checking links and attachments can help users protect their computers and their data from threats.

Special mention to Chloe Ordonia for finding this new spam technique, and to Jaime Reyes for analyzing this malware.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: MalwareNECURSrootkitSpamUPATREZBOT

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.