Upatre Trojan Downloader Targets PCs Running Outdated Windows XP via Clever Spam Campaign

While the adoption rate for Windows 10 is steadily rising with nearly 7% of PCs around the world running the new operating system, there are almost twice as many PCs still running a copy of Windows XP putting themselves in grave danger of malicious threats that target the outdated version of Windows.

While Windows XP may be dead to those who have a forward momentum in life, cybercrooks are thriving on the opportunity to hit a portion of the 12% of computers around the world that are believed to be still running the antiquated Windows XP operating system. As such, the famous Upatre Trojan horse threat is among an insurgence of malware that is targeting Windows XP.

AppRiver, a company known for providing cyber-security solutions for web and email products, has reported a new spam campaign that is distributing the Upatre Trojan downloader to computer users who run Windows XP. The threat is spread among any type of PC but takes advantage of the outdated infrastructure of Windows XP.

The new spam campaign is delivered with an email subject line claiming it is an "Attorney-client agreement." The email employs a well-known technique using a lawsuit scare tactic, which further entices computer users to click on the message and open the attachment. The attachment is in a ZIP format that upon opening will load the Upatre Trojan. The spam message is also a clever one where the ZIP archive file is sent with one of three random names as to avoid capture by spam filters that look at the attachment name and compares it will previously known threats.

Image of spam message containing Upatre Trojan threat in ZIP attachment. Image source: AppRiver

As we know very well, the Upatre threat is a Trojan horse downloader that was first discovered in August of 2013. During the time, Upatre was known to be used to download other malware threats, such as the famous Zeus banking Trojan or the Dyreza threat, all famed for their ability to steal login credentials that may belong to online banking consumers. Additionally, Upatre is responsible for the spread of popular Ransomware threats, such as CryptoLocker.

Over the course of the past couple of years, Upatre has received updates from cybercrooks but lessening its effectiveness where it is now limited to primarily attacking Windows XP machines. We believe that the Upatre threat demonstrates some of the lacking abilities for the crooks behind the threat to evolve enough to target newer operating systems that are constantly updated. Instead, Upatre is relying on the same expected code of Windows XP, which will never change now that the operating system is no longer supported, to obtain data stored on infected systems.

AppRiver's analysis on the latest version of Upatre also reveals how it tends to crash after a short period of time even on Windows XP systems. In all, this discovery makes us believe that Upatre is on its last leg but before it meets its demise it is still causing serious issues for those who have failed to update their PC to run a version of Windows newer than Windows XP.

Let this be a lesson to always keep your software, including your operating system, up to date by applying the latest security patches, even if you are running an older but supported version of Windows. Windows XP is so early 2000s!