Social Engineering Watch: UPATRE Malware Abuses Dropbox Links
Threats like UPATRE are continuously evolving as seen in the development of the techniques used so as to bypass security solutions. UPATRE malware are known downloaders of information stealers like ZeuS that typically spread via email attachments. We recently spotted several spam runs that use the popular file hosting service Dropbox. These use embedded links lead to the download of UPATRE malware variants. What is noteworthy in these spam attacks is that it is the first instance we saw TROJ_UPATRE being deployed via URL found in an email message.
In one of the spam samples we saw, it poses as an eFax notification mail with a Dropbox link in the message body. Once unsuspecting users click on the link, it will redirect to a Dropbox URL, leading to the download of a malicious file detected as TROJ_UPATRE.YYMV. When executed, it downloads a ZBOT variant, detected as TSPY_ZBOT.YYMV, which, in turn, drops a rootkit detected as RTKT_NECURS.MJYE. The NECURS variants are known to disable security solutions on infected systems, causing further infection.
Figure 1. Sample of these spam emails
Figure 2. Legitimate copy of email message from eFax
The other spam sample we saw pretended to be an email with a Dropbox link that came from NatWest Bank containing a supposed NatWest Financial Activity Statement, but is actually a TROJ_UPATRE malware. Similarly, it follows the UPATRE- ZBOT- NECURS infection chain. Based on our investigation, this spam run also uses names of legitimate companies, such as Lloyds Bank, eFax, Intuit, ADP, BBB, and Skype, among others. We also came across spammed messages with embedded Dropbox links but redirects to Canadian pharmacy websites.
We have been monitoring this spam campaign since it started last May 23 and began to increase a week later. Dropbox was already informed of this incident as of posting. We have also notified and submitted the current list of affected accounts that seem to be hosting malware in Dropbox.
Last April, we reported tax-themed spammed messages that also follow the same infection combination of UPATRE, ZBOT, and NECURS. Based on our data, UPATRE remains as the top malware distributed via spam from January to May 2014.
Figure 2. Top 5 distributed malware via spam mail, Jan-May 2014
Cybercriminals often go with what’s hot and popular for their social engineering lures. In this case, the bad guys abused legitimate Dropbox links in order to trick users into downloading various malware, which can lead to system infection and information theft.
Trend Micro protects users from this threat by detecting all spam-related samples and malicious files.
With additional analysis from Mark Manahan
Incoming search terms