Upatre Trojan Found to Download Malware That Downloads Additional Malware Threats

What has been identified as Win/32.Upatre or simply known as the Upatre Trojan, was found by researchers from the Microsoft malware Protection Center to download malware that downloads additional malware threats.

Being that the Upatre Trojan is a two-faced malware threat, it can be said to be among some of the most vicious threats you can encounter on a Windows PC in the recent months. We have seen cases where malware installed on a system can then run in the background where it may prompt to download additional malware all without any indication to the user or administrator.

Some of the astonishing findings of the Upatre Trojan, is that it compromises host machines through malicious email attachments and later downloads other malware threats directly from its designed command and control server. In a nutshell, Upatre Trojan is a never-ended thrill ride to utter chaos.

Another aspect of Upatre Trojan that has sparked such an interest in computer security researchers is new data showing an exponential increase in the distribution of this Trojan. As demonstrated in the chart below in Figure 1, Upatre Trojan has increased to unprecedented numbers in a time span of just 3 months from August to October of this year.

Figure 1. Win32/Upatre Trojan Report Count – Source: threatreport.com via Microsoft Malware Protection Center data

What has been found in the unique actions of Upatre Trojan is that within some of its spam campaigns it distributes itself with several malicious attachments contained within a zip file. Some of the zip file names found within spam messages rooting from Upatre Trojan are listed below.

List of random Upatre Trojan malicious Zip file attachment names found in spam messages

• ATO_TAX.zip
• ATO_TAX_.zip.
• Case_.zip
• -.zip
• Remit_.zip
• Statement of Account.zip
• TAX_.zip
• USPS_Label_.zip
• USPS – Missed package delivery.zip

The expansion and reach of Upatre Trojan has also been tracked by researchers finding that its creators are delivering the payload with exploit kits targeting Java and PDF vulnerabilities. This opens up a whole new can of worms in the potency of the Upatre Trojan. Upatre Trojan has essentially become a primary means of delivering malware for a large number of hackers and cybercrooks. Upatre Trojan is pulling malware from several different malicious domains, much like older threats like Zbot was able to accomplish during its height of popularity.

Researchers have even suspected Upatre Trojan to be a culprit of popular and emerging ransomware, such as CryptoLocker, which has had a surmounting effect on systems primarily located in the United States. As far as locality of the Upatre Trojan goes, the USA remains to be an exclusive proving ground for the malware accounting for 97% of its infections as shown in the Figure 2 chart below.

Figure 2. Win32/Upatre Trojan Locality report count – Source: threatpost.com