ALIASES:

Microsoft: Upatre; Symantec: Upatre; Kaspersky: Upatre

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Spammed via email

UPATRE was first spotted in August 2013, after the fall of Blackhole Exploit Kit. Its variants usually arrive onto systems as malicious files attached to spammed messages, or as a link to a malicious website hosting the malware itself.

UPATRE malware, upon installation,, will download and execute additional malware on the affected system. Some of the downloaded malware by UPATRE are ZEUS, CRILOCK, DYREZA and ROVNIX variants. Such malware severely compromises the security of the system they affect, and in CRILOCK's case, render it useless due to its file-encrypting routines.

New variants of UPATRE are now capable of stealing system information such as the affected system’s computer name and operating system.

  TECHNICAL DETAILS

Payload: Connects to URLs/IPs, Drops files

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %User Temp%\pdfviewer.exe
  • %User Temp%\informix.exe
  • %User Temp%\ELuXJ36.exe
  • %User Temp%\goofit5.exe
  • %User Temp%\vybzl.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

  • %User Temp%\temp_4662.txt
  • %User Temp%\{5letters}{2digits}.exe
  • %User Temp%\mix_T17.tmp
  • %User Temp%\tep-D366.txt
  • %User Temp%\tep-043.txt
  • %User Temp%\EXE1.exe
  • %User Temp%\utt69B9.tmp

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This Trojan adds the following registry entries:

HKEY_LOCAL_MACHINE \Software\Microsoft\
ESENT\Process\document81723\
DEBUG
Trace Level = null

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
marker_UAC_bypassed = TRUE

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}s.com/look2.pdf
  • http://{BLOCKED}a.com/mandoc/look2.pdf
  • http://{BLOCKED}onidarte.it/mandoc/seo21.pdf
  • http://{BLOCKED}drifting.com/news/seo21.pdf
  • http://{BLOCKED}eriayahorrodeenergia.com/mandoc/listc.pdf
  • http://www.{BLOCKED}rivinglessons.com/mandoc/listc.pdf
  • http://{BLOCKED}ab.net/mandoc/instr1.pdf
  • http://{BLOCKED}dragovic.com/mandoc/instr1.pdf
  • http://{BLOCKED}otelpatong.com/document/wis22.jpa
  • http://{BLOCKED}beli.com:80/images/wis22.jpa
  • http://202.153.35.133:{random port}/1401_11/{computer name of affected system}/0/{OS version}-{service pack}/0/
  • http://{BLOCKED}.153.35.133:{random port}/1401_11/{computer name of affected system}/{value}/{value}/{value}
  • http://{BLOCKED}.153.35.133:{random port}/2101us21/{computer name of affected system}/0/{OS version}-{service pack}/0/
  • http://{BLOCKED}.153.35.133:{random port}/2101us21/{computer name of affected system}/{value}/{value}/{value}
  • http://{BLOCKED}.153.35.133:22446/1401uk21/{computername}/0/{OS Version}-{Service Pack}/0/
  • http://{BLOCKED}.153.35.133/22446/{computername}/{value1}/{value2}/{value3}/
  • http://{BLOCKED}.153.35.133/0901us2/{computername}/0/{OS Version}-{Service Pack}/0/
  • http://{BLOCKED}.153.35.133/0901us2/{computername}/{value1}/{value2}/{value3}/
  • http://{BLOCKED}.210.204.149:{random port}/0812us22/{computer name}/0/{os version and service pack}/0
  • http://{BLOCKED}.210.204.149:{random port}/0812us22/{computer name}/1/0/0