14 DAY TRIAL // A new version of malware downloader Upatre has emerged towards the end of last week, adopting encrypted communication with the command and control (C&C) server.
Previous versions of the malware relied on regular HTTP traffic via non-standard ports to deliver information from the compromised machine to the server, which allowed efficient blocking of its activity.
Upatre switches to new user-agent
Researchers from Cisco’s security intelligence group Talos noticed last week fresh versions of Upatre that increased its sophistication at levels not encountered before.
One of the mutations, identified on April 13, no longer uses “checkip.dyndns” to identify the IP address of the compromised system and contacts “icanhazip.com” instead.
To avoid detection, the communication of the new Upatre is carried out with a new user-agent (“Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0”) that looks like a legitimate one and is more difficult to associate with malicious traffic exchange.
Malware encrypts traffic to C&C server
Another update of the malware was observed later in the week using SSL (Secure Sockets Layer) cryptographic protocol to hide the type of data flowing between the infected client and the C&C server.
“While Upatre has always had a small SSL component, this is the first we’ve seen a full shift to total SSL for all communications,” say in a blog post Cisco threat researchers Nick Biasini and Joel Esler.
The only communication that is not encrypted by this strain of the threat refers to identifying the IP address; after completing this task, all traffic to the C&C server is encrypted.
Most of the previous Upatre versions caught by the researchers were delivered to the victim by masquerading as a PDF file, which would in fact be an executable. As soon as it was launched, the malware downloaded an Adobe document to show to the user.
However, in yet another change recorded by the researchers on Friday, Upatre no longer does this and downloads the payload in the background (most of the times it is Dyre banking Trojan), the communication being encrypted.
The modifications seen by the researchers show that malware considered a common threat that can be easily blocked can evolve into an advanced piece capable of avoiding detection after infecting a system and of hiding its traffic to the control center.