A downloader known as Upatre is going out with the aid of spam emails that come from “major financial institutions” such as Lloyds TSB and Wells Fargo.
The fake emails inform recipients that they’ve received a new secure message, said researchers at Trend Micro. The message is the same where potential victims end up told to open the .msg file in the attachment to see the message.
“In 2013, the malware UPATRE was noted as one of the top malware seen attached to spammed messages,” said Marilyn Melliang, senior threat research engineer with Trend Micro in a blog post.
The .msg file contains another .msg file which hides Upatre (TROJ_UPATRE.YYKE). The attackers most likely use that method to ensure the malware does not end up immediately detected by security solutions. In essence, it is malware within malware.
Once it infects a device, the malware starts downloading other threats.
The sample analyzed by Trend Micro downloads a variant of ZeuS (TSPY_ZBOT.YYKE), which in turn downloads a version of Necurs (RTKT_NECURS.RBC). Necurs’ goal is to disable security features on compromised computers to make them vulnerable to other infections.
Upatre also sees use from cybercriminals to distribute pieces of ransomware like CryptoLocker.
After the fall of the BlackHole exploit kit, cybercriminals started distributing Upatre as an attachment. Later, they hid the malware inside password-protected attachments. Now, they’ve once again changed their tactics.
“UPATRE’s evolution is proof that threats will find new ways and techniques to get past security solutions,” Melliang said.