UPAS Kit Description

The UPAS Kit is a threatening program that was discovered in June 2018, which is related to the Kronos Banking Trojan. The UPAS Kit is known to have been used in spam campaigns, and it can be found on harmful USB drives. The threat actors responsible for the UPAS Kit use it to hide the presence of other malware, plant spyware and install banking Trojans. The malware is known to support anti-VM (Anti Virtual Machine) functions to prevent analysis in test environments. The first function reads the system volume serial number by running a 'GetVolumeInformationW' command, and then, the serial number is compared to the value 0xCD1A40 that is associated with a sandbox service. The send function looks for an artifact from the VMWare suite associated with communication between a host and guest OS.

The UPAS Kit is loaded in the system memory from weaponized Microsoft Word files and corrupted USB drives. The UPAS Kit is programmed to copy itself to randomly named files that are saved to system directories. Computer security researchers reported that the UPAS Kit copies itself to a folder titled 'Microsoft' under the AppData system directory and copies itself to the Temp directory too. The malware loads the file saved in C:\Users\username\AppData\Microsoft and if it is not blocked UPAS Kit loads the second file from C:\Users\username\AppData\Local\Temp. Attacks with the UPAS Kit are rather straight-forward, the malware copies its virtual image to a buffer and then attempts to allocate memory space in a targeted remote process.

In simpler terms, the UPAS Kit malware copies itself to a buffer and then attempts to create a sub-process under a legitimate program that is currently running. Typically, the UPAS Kit injects itself into the 'iexplorer.exe,' 'explorer.exe' and 'svhost.exe.' Once the injection is complete, the UPAS Kit malware opens an uninterrupted network communication with the 'Command and Control' server. The UPAS Kit responds to commands like 'download,' 'execute,' and 'delete.' The UPAS Kit can be used to download payloads, run programs, delete itself and spread to machines on the local network. The UPAS Kit malware spreads to other machines by means of infected USB drives. The UPAS Kit malware overwrites the 'autorun.inf file on USB sticks that loads a hidden EXE file when it is plugged on a new device.

Removing the UPAS Kit can be difficult since it injects itself into a legitimate process. You should run security scans regularly and patch your programs as necessary. Detection names for the UPAS Kit are listed below:

A Variant Of Win32/AutoRun.Agent.AGC
Generic.Malware.SFdldg.5D65AA1D (B)
Malicious_confidence_100% (D)
Riskware ( 0015e4f01 )