---
title: "Know It Better to Protect Yourself Better: UPATRE Malware Spams | DuoCircle"
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/resources/upatre-malware-spams/"
---

Resource 

#  Know It Better to Protect Yourself Better: UPATRE Malware Spams 

[ Talk to an Expert → ](/contact/) [ See what we make ](/products/) 

## Know It Better to Protect Yourself Better: UPATRE Malware Spams

UPATRE malware is a new type of spam that uses the original sender’s email address as a decoy, eliminating security systems by deceiving them. Find out how you can protect yourself.

[Email Security Services](/)

###### [EMAIL SECURITY SERVICES](/)

###### [PLANS AND PRICING](/email/phishing-protection#pricingarea)

###### [PHISHING PROTECTION](/email/phishing-protection)

_A spam email is an irrelevant and unsolicited email that is sent in bulk to a group of people_. For example, let’s say have a list of email addresses collected from various sources or purchased, and you want to send them an email with a promotion of some product of yours or any other relevant offer they can’t refuse. But since these people in your list of email addresses did not give you explicit permission to send them a message or contact them for any such offer if you still send them an email, it would be considered a [spam email](/content/email-spam-filter-service).

![email security](https://media.mailhop.org/duocircle/images/2021/08/email-security-from-malware-attack.png) 

_A [Spam filter](/content/spam-filter) is a software that helps in detecting unsolicited e-mails_, unwanted content, and [phishing emails](/phishing-protection/phishing-emails-just-became-even-harder-to-spot-with-invisible-text) too. To avoid spam emails or messages, internet users resort to different types of filtering techniques and **spam-free** channels to curb the issue of spamming. There are various categories of filtering options to choose from. A **spam filter** makes the judgment of blocking the content such as:

- A given word in the subject line of the email message.
- Suspicious words pattern and frequency of these words.

_Rarely do the spam filters omit completely legitimate e-mails._ These are known as False Positives in Cyberworld. There are other spam filters such as [Bayesian Filters](https://www.lifewire.com/bayesian-spam-filtering-1164096) or other [Heuristic filters](https://www.techopedia.com/definition/28881/heuristic-filtering), which identify spam through suspicious word patterns or analyzing their repetition rate.

Ideally, these [spam filters](/email/spam-filtering) block a bunch of messages which justify the cost of its use. In general, people do not give attention to the blocked content. However, _it is necessary to know about the filtered content_, which helps us to be better prepared to **tackle any threat**.

One of the most common Malspam (Malware spam) from the spam filter is Upatre Malspam. It was first detected in August 2013, and its variants interrupt the system in various forms of malicious attachments in the e-mails. It can post malicious links to the host website, which itself is spam. Upatre is a [Trojan horse malware](/content/email-and-information-security-jargon) that downloads potentially harmful or malicious files onto the compromised computer system or network.

[![email security services](https://www.duocircle.com/wp-content/uploads/2021/08/email-security-malware-prevention.jpeg)](/wp-content/uploads/2021/08/email-security-malware-prevention.jpeg)

### Operation of UPATRE

After being installed in the system, it starts downloading and executing [malware](/resources/malware-and-its-defense-mechanism) and infecting other systems.

It encrypts the files which are stored in the affected system and transfers them to the adversary’s server.

#### UPATRE Malware Includes

ZEUS, CRILOCK, ROVNIX, DYRE, etc. _Newer variants of Upatre are capable of stealing the system’s information such as Operating system and IP address and other private info_.

#### UPATRE Payload

The malware propagates through [spam email](/content/email-spam-filter-service) messages. The attackers may include URLs or links to the Trojan in the email messages or sometimes embed it into files attached to the email. The Payload connects to URLs/IPs and Drop Files

#### Installation

It downloads potentially malicious files, usually disguises itself using the icon of a legitimate file, such as Adobe Acrobat Reader. This Trojan (Upatre Malspam) drops the below-listed copies of itself into the affected system and executes them:

- %User Temp%\\pdfviewer.exe
- %User Temp%\\informix.exe
- %User Temp%\\ELuXJ36.exe
- %User Temp%\\goofit5.exe
- %User Temp%\\vybzl.exe

In simple words, _Upatre Malspam is a downloader Malware that retrieves Dyreza (DYRE), which is a data stealer_ – the Zeus-like banking Trojan. Earlier in June 2015, [Dyre targeted global bank](https://www.secureworks.com/research/dyre-banking-trojan)‘s systems and bypassed the **SSL security** level to steal their critical data. As the US-CERT warned security experts about cyber warfare being carried out by using DYRE, its variants were changed by the cyber-criminals, and it was no longer using Cutwail Spambot to spread the infection. DYRE then started using the I2P anonymization network as a communication medium.

The Botnets deliver this spam in zip files to the victim’s e-mail. However, most organizations’ **spam filters** remove this Malspam, and the employees are rarely affected.

The DYRE Malspam uses msmapi32.dll Library to perform email-related routines where it generates the e-mails in Microsoft Outlook, which have Upatre Malspam infected files in its attachments.

_It does not collect the recipient’s list from the Microsoft outlook contact section_. However, it uses C&C (Control and Command) server to choose recipients, the content of the spam e-mail, and also the subject line.

When the [spam filters](/email/spam-filtering) contents were reviewed by the industry’s security experts’ team, the following subject lines detected the presence of Upatre Malspam:

- Credit Note CN
- Message from “unknown number” Page(s)
- Please view

There can be any subject line, above listed subject lines were detected by Botnet-based Upatre Malware Spam.

The attachments are generally in the form of .zip files, which contain the executable file of the .scr extension. In general, _the attachments are all the same files in a bunch of Malspam which are detected by the filters_.

### Conclusion

_Hackers keep on developing and improving the evading and intrusion techniques_ of UPATRE and DYRE. Mostly, enterprises have robust [email security](/) against such vulnerabilities, as the security team continues to filter these out from their systems, well before they reach the recipient’s mailbox. However, _studying the pattern of these Malspams is very crucial to gauge the tactics of cyber-criminals_, whenever they try to change their ways of operation and to keep the systems protected against such threats.

## Ready to talk?

Same-day response from someone technical. We tell you yes or no quickly. If yes, we get to work.

[Talk to an Expert→](/contact/)[See what we make](/products/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"WebPage","name":"Know It Better to Protect Yourself Better: UPATRE Malware Spams","description":"","url":"https://www.duocircle.com/resources/upatre-malware-spams/","speakable":{"@type":"SpeakableSpecification","cssSelector":[".page-answer",".duo-rich-text p:first-of-type"]},"dateModified":"2021-08-19T12:41:53.000Z","datePublished":"2021-08-19T13:22:17.000Z"},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"DuoCircle","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Know It Better to Protect Yourself Better: UPATRE Malware Spams","item":"https://www.duocircle.com/resources/upatre-malware-spams/"}]}]
```