14 DAY TRIAL // Cybercriminals are distributing the notorious downloader known as Upatre with the aid of spam emails that purport to come from major financial institutions such as Lloyds TSB and Wells Fargo.
According to Trend Micro, the fake emails inform recipients that they’ve received a new secure message. Potential victims are instructed to open the .msg file in the attachment to see the message.
The .msg file contains another .msg file which hides Upatre (TROJ_UPATRE.YYKE). The method is likely used to ensure that the malware is not immediately detected by security solutions.
Once it infects a device, the malware starts downloading other threats.
The sample analyzed by Trend Micro downloads a variant of ZeuS (TSPY_ZBOT.YYKE), which in turn downloads a version of Necurs (RTKT_NECURS.RBC). Necurs is designed to disable security features on compromised computers to make them vulnerable to other infections.
Upatre is also used by cybercriminals to distribute pieces of ransomware like the notorious CryptoLocker.
After the fall of the BlackHole exploit kit, cybercriminals started distributing Upatre as an attachment. Later, they hid the malware inside password-protected attachments. Now, they’ve once again changed their tactics. “UPATRE’s evolution is proof that threats will find new ways and techniques to get past security solutions,” noted Marilyn Melliang, senior threat research engineer with Trend Micro.