Researchers from the Microsoft Malware Protection Center (MMPC) have seen a spike in Win/32.Upatre infections in recent months. The trojan compromises host machines through malicious email attachments and, once installed, moves to download different malware from its command and control server.
The spam campaign is distributing Upatre with the following malicious attachments where ‘<variable names>’ can be domains, company, and individual names, or even random letters or words: USPS_Label_<random number>.zip, USPS – Missed package delivery.zip, Statement of Account.zip, <number>-<number>.zip, TAX_<variable names>.zip, Case_<random number>.zip, Remit_<variable names>.zip, ATO_TAX.zip, and ATO_TAX_<variable names>.zip.
Telemetry data indicates that Upatre’s administrators are delivering the trojan with exploit kits targeting Java and PDF vulnerabilities as well.
According to the MMPC, Upatre is primarily a conduit for delivering further malware. Thus far, its favorite delivery is ‘Win32/Zbot.gen!AM,’ a family of malware that steals credentials and potentially cedes control of infected machines to the attacker. More recently, researchers have seen the trojan installing ‘TrojanDropper:Win32/Rovnix.I’ as well. Rovnix writes malicious code the NewTechnologyFileSystem (NTFS) boot sector reportedly injecting code into explorer.exe so that it can download further malware from the domain ‘youtubeflashserver[dot]com’ each time an infected machine restarts.
Upatre is pulling this malware from a number of domains, including mytarta[dot]com, cyclivate[dot]com, pentruder[dot]co[dot]uk, and huyontop[dot]com.
The Zbot malware historically deployed a domain generation algorithm to shake detection as it downloads its updates. The MMPC researchers claim that it too is increasingly downloading other malware, at first a piece of bitcoin-accepting ransomware known as CryptoLock, but later ‘Trojan:Win32/Necurs.A’ as well, a piece of malware about which little is yet known.
Upatre is almost exclusively a U.S. problem, with nearly 97 percent of its infection taking place there. In an extremely distant second, third, fourth, and fifth respectively are the United Kingdom (0.89 percent), Canada (0.46 percent), Australia (0.27 percent), and Japan (0.19 percent).