14 DAY TRIAL // Windows XP is officially dead and buried, at least from Microsoft's standpoint, but there still are millions of users who keep using it in the wild, and that's the main reason why cyber-criminals are targeting these systems.
With no support and no security fixes arriving on the operating system, XP is a graveyard of old technology, a ghost town in which malware can walk around without fearing the sheriff.
AppRiver, a company that provides cyber-security solutions for email and Web products, is now reporting on a new spam campaign which is distributing the Upatre downloader to users around the world, but this time around, the malware only executes when on a Windows XP machine.
Upatre delivered via a spam-scareware campaign
This new spam campaign comes with an email subject line that says "Attorney-client agreement," and tries to trick users into opening ZIP archives booby-trapped with the Upatre trojan.
AppRiver says that this campaign is different from other spam campaigns because the file of the ZIP archive is composed of three random names, which are always different in each email, making it difficult for spam filters to block the emails based on the attachment's filename.
If the user falls victim to the spam email's lengthy text that employs a well-known lawsuit scare tactic, users will find themselves with Upatre on their computers.
Upatre is a malware downloader, only an entry point for other infections
Upatre, first spotted in August 2013 after the implosion of the Blackhole Exploit Kit, is known to be a downloader trojan, a malware family which only fetches more dangerous malware on infected machines. In the past, Upatre has been used to download malware strands like Dyreza, Rovnix, Crilock, and Zeus.
The most recent version of Upatre is less dangerous, because it only runs on XP machines, shutting itself down through one of its internal filters whenever executed on a different platform.
When on an XP computer, the malware starts taking over system processes, adding registry entries, shutting down security certificates, and checking for reverse-engineering debug tools.
Once all this is done, it then sends the user IP address and local OS details to a C&C server located at 197.149.90.166:12299, and waits for more instructions.
"Even on Windows XP these samples seemed a little rickety as they tended to crash after a fairly short period of time, but they did have the best success rate on the XP machines," said AppRiver’s Fred Touchette, who also adds that they expect to see more advanced versions of this XP-targeting Upatre iteration in the coming days.