The Upatre downloader is the vehicle that has driven numerous banking Trojan and ransomware attacks to the front door of countless victims at great cost.
Microsoft on Thursday warned of a wire-transfer spam campaign that it’s spotted that is spreading Upatre and eventually loading the dangerous Dyreza banking Trojan. Not only has Dyreza been implicated in the theft of banking credentials from victims worldwide, but it was also at the center of attacks against Salesforce.com users and was spotted exploiting the same vulnerability used in APT attacks carried out by the Sandworm group.
The spam messages spotted by Microsoft include a malicious .scr or PDF attachment and a message claiming that the recipient has been sent a wire transfer of $35,292. The attachment contains a ZIP file called payment1872.zip that extracts Upatre. The downloader opens a connection to one of two domains, either continua[.]ltd[.]uk or odecarequipa[.]com where Dyreza awaits and is loaded onto the compromise computer; Microsoft detects this variant of Dyreza as Dyzap.h.
Most of the victims are in the United States with a another smaller concentration in Canada.
US-CERT issued an advisory in October warning about a Dyreza outbreak using PDF attachments exploiting vulnerabilities in older versions of Adobe Reader. The malware has many data-stealing capabilities, and is used primarily to steal banking credentials.
Once on a machine, the malware uses a technique known as browser hooking to intercept traffic flowing between the victim’s machine and the target Web site, bypassing SSL encryption in the process. The technique works on all three major browsers: IE, Firefox and Chrome.
Danish security outfit CSIS wrote in an analysis that the attackers often use a man-in-the-middle approach and can read SSL traffic in the clear, circumventing two-factor authentication in the process.
One spam campaign in October had a banking theme targeting customers of a number of Swiss banks and contained a Power Point attachment exploiting the recently patched Windows OLE vulnerability, addressed by Microsoft in an emergency patch earlier this month. This same exploit was used in the Sandworm APT attacks, which targeted government and industrial targets in Eastern Europe.
The Salesforce attack using Dyreza was obviously much more targeted. Salesforce alerted its customers on Sept. 3 that one of its partners had reported a spam campaign targeted Salesforce credentials. Those credentials would be particularly useful to a profit-minded hacker since Salesforce is used by organizations to run internal sales teams, customer relationship management and other business-related functions.
With Upatre now delivering Dyreza, or Dyre, to victims, the downloader is responsible for a wide array of trouble, including not only banking Trojans but also botnets such as Rovnix, which in October surfaced with a new domain generation algorithm and secure transmission channel.