Know It Better to Protect Yourself Better: UPATRE Malware Spams
UPATRE malware is a new type of spam that uses the original sender’s email address as a decoy, eliminating security systems by deceiving them. Find out how you can protect yourself.
A spam email is an irrelevant and unsolicited email that is sent in bulk to a group of people. For example, let’s say have a list of email addresses collected from various sources or purchased, and you want to send them an email with a promotion of some product of yours or any other relevant offer they can’t refuse. But since these people in your list of email addresses did not give you explicit permission to send them a message or contact them for any such offer if you still send them an email, it would be considered a spam email.
Table of Contents
A Spam filter is a software that helps in detecting unsolicited e-mails, unwanted content, and phishing emails too. To avoid spam emails or messages, internet users resort to different types of filtering techniques and spam-free channels to curb the issue of spamming. There are various categories of filtering options to choose from. A spam filter makes the judgment of blocking the content such as:
- A given word in the subject line of the email message.
- Suspicious words pattern and frequency of these words.
Rarely do the spam filters omit completely legitimate e-mails. These are known as False Positives in Cyberworld. There are other spam filters such as Bayesian Filters or other Heuristic filters, which identify spam through suspicious word patterns or analyzing their repetition rate.
Ideally, these spam filters block a bunch of messages which justify the cost of its use. In general, people do not give attention to the blocked content. However, it is necessary to know about the filtered content, which helps us to be better prepared to tackle any threat.
One of the most common Malspam (Malware spam) from the spam filter is Upatre Malspam. It was first detected in August 2013, and its variants interrupt the system in various forms of malicious attachments in the e-mails. It can post malicious links to the host website, which itself is spam. Upatre is a Trojan horse malware that downloads potentially harmful or malicious files onto the compromised computer system or network.
Operation of UPATRE
After being installed in the system, it starts downloading and executing malware and infecting other systems.
It encrypts the files which are stored in the affected system and transfers them to the adversary’s server.
UPATRE Malware Includes
ZEUS, CRILOCK, ROVNIX, DYRE, etc. Newer variants of Upatre are capable of stealing the system’s information such as Operating system and IP address and other private info.
UPATRE Payload
The malware propagates through spam email messages. The attackers may include URLs or links to the Trojan in the email messages or sometimes embed it into files attached to the email. The Payload connects to URLs/IPs and Drop Files
Installation
It downloads potentially malicious files, usually disguises itself using the icon of a legitimate file, such as Adobe Acrobat Reader. This Trojan (Upatre Malspam) drops the below-listed copies of itself into the affected system and executes them:
- %User Temp%\pdfviewer.exe
- %User Temp%\informix.exe
- %User Temp%\ELuXJ36.exe
- %User Temp%\goofit5.exe
- %User Temp%\vybzl.exe
In simple words, Upatre Malspam is a downloader Malware that retrieves Dyreza (DYRE), which is a data stealer – the Zeus-like banking Trojan. Earlier in June 2015, Dyre targeted global bank‘s systems and bypassed the SSL security level to steal their critical data. As the US-CERT warned security experts about cyber warfare being carried out by using DYRE, its variants were changed by the cyber-criminals, and it was no longer using Cutwail Spambot to spread the infection. DYRE then started using the I2P anonymization network as a communication medium.
The Botnets deliver this spam in zip files to the victim’s e-mail. However, most organizations’ spam filters remove this Malspam, and the employees are rarely affected.
The DYRE Malspam uses msmapi32.dll Library to perform email-related routines where it generates the e-mails in Microsoft Outlook, which have Upatre Malspam infected files in its attachments.
It does not collect the recipient’s list from the Microsoft outlook contact section. However, it uses C&C (Control and Command) server to choose recipients, the content of the spam e-mail, and also the subject line.
When the spam filters contents were reviewed by the industry’s security experts’ team, the following subject lines detected the presence of Upatre Malspam:
- Credit Note CN
- Message from “unknown number” Page(s)
- Please view
There can be any subject line, above listed subject lines were detected by Botnet-based Upatre Malware Spam.
The attachments are generally in the form of .zip files, which contain the executable file of the .scr extension. In general, the attachments are all the same files in a bunch of Malspam which are detected by the filters.
Conclusion
Hackers keep on developing and improving the evading and intrusion techniques of UPATRE and DYRE. Mostly, enterprises have robust email security against such vulnerabilities, as the security team continues to filter these out from their systems, well before they reach the recipient’s mailbox. However, studying the pattern of these Malspams is very crucial to gauge the tactics of cyber-criminals, whenever they try to change their ways of operation and to keep the systems protected against such threats.