• Upatre has been active since 2013 and linked with the Dyre banking trojan
  • Cybercriminals have previously used Upatre as a downloader for various malware like Locky, Dridex, Zeus, GameOver and others.

Security researchers have discovered that Upatre, a popular malware downloader that was first discovered in 2013, has been upgraded by cybercriminals with new detection evasion techniques. Upatre is known for it links with the Dyre banking malware. In July 2015, Upatre’s Dyre infections peaked with over 250,000 infections per month.

However, since the cybercriminals behind Dyre were apprehended by authorities in November 2015, Upatre is no longer used among cybercriminals.

Despite this, security researchers at Palo Alto Networks discovered an unknown variant of Upatre which they believe was compiled back in December 2016.

“This previously undocumented variant features significant code flow obscuration, a pro re nata means of decryption for network communications, and of particular interest, the method in which this variant evades virtual machine detection,” Palo Alto researchers wrote in a blog.

Old tool, new tricks

Upatre was once quite a popular tool amongst cybercriminals, serving as a downloader for various malware variants including, Zeus, GameOver, Dridex, Locky, Kegotip and Dyre, among others. The downloader is generally delivered to targeted systems either as an email attachment or via a compromised website.

The new variant was found to be written in Visual C++ and is capable of detecting whether it is running within a virtual machine.

“Although virtual machine detection is anything but new, in this variant, it is handled a bit differently than other samples previously analyzed by Unit 42,” Palo Alto researchers added. “To evade detection, the newly observed variant enumerates the running processes on the host, generates a CRC32 hash of the process name, performs an XOR with a hard-coded key of 0x0F27DC411, and finally compares the newly computed value against a list of values stored in an array within the code.”

The new Upatre version is also capable of loading code in-memory and can disable several Windows services including Windows Firewall, Defender, Security Center, connection sharing and more. The malware can also disable Internet Explorer’s phishing filter and remove security notifications on Windows 7 and later versions.

Researchers found that the new Upatre variant uses the same dot-bit domains used by other malware variants such as Necurs, GandCrab, Vobfus, Tofsee, Floxif, Ramnit and others.

“This version of Upatre contains significantly obfuscated code to increase the difficulty of analysis,” Palo Alto researchers said. “Due to the C2 domains being down at the time of our analysis, which was unsurprising given the potential age of the sample, we were never able to capture the ultimate payload for this new Upatre variant.”

Cyware Publisher