Dell: Cybercriminals Deploy ‘Upatre’ Downloader in an Attempt to Distribute ‘Gameover’ Trojan

Security researchers of Dell's SecureWorks Counter Threat Unit (CTU) have been securitizing the actions of a group of cybercriminals that depend on the P2P (peer-to-peer)variant of the infamous Zbot or Zeus Trojan also referred to as Gameover. They found that besides the Pony Loader, the cybercriminals have also been employing the 'Upatre' downloader to dispense the malware.

The Upatre downloader, as accords to Dell researchers, has a tiny file size and is awfully simple, employing its functionality completely in a single function. It (Upatre) downloads and implements a file from a hard coded URL above an encrypted SSL (secure sockets layer) connection from a hijacked web-server and later departs, as published by scmagazine.com.au on October 8, 2013.

The handlers of Gameover-Zeus botnet dispense both 'Pony Loader' and 'Upatre' downloader via spam mails sent through Cutwail botnet. Many allures have employed social engineering tactics by mimicking financial organizations and government-based agencies to dupe a victim into executing the malicious software. The spam mails carry an implanted malware as a ZIP attachment and user's execution is required to infect the system.

Once executed, it (Upatre) duplicates its own self to a short-term directory together with a hard coded filename and executes the transitory copy and ceases the present process. It erases the original executable file and joins to a hard coded URL in order to download the malicious payload. It notes down the payload to a disk by employing a hardcoded name in the short-termed directory and executes the malware payload and then exits.

Interestingly, the authors of malware mainly used SSL encryption to delay net base signature detection system.

"The Gameover Zeus operators on a regular basis update their TTP or tactics, techniques, and procedures. Their most recent move appears to obscure signature based net detection for their malware downloaders by employing hijacked web sites and SSL," experts from Dell's CTU noted, as reported by softpedia.com on October 8, 2013.

The CTU researchers' advice businesses to remain alert and to install a defense-in-depth strategy which includes educating staff on phishing tactics by miscreants and to block executable file types to detect the incoming malicious emails. They also recommend keeping updating antivirus operating system.

» SPAMfighter News - 10/21/2013