“The extremely popular Upatre Trojan downloader has undergone considerable changes that will make it and its communication more difficult to spot and block.
The changes were implemented in the new variants detected and analyzed late last week by Cisco’s Talos Group researchers, and include:
(Nearly) full SSL encryption of traffic to and from the C&C server
“All communication after the identification of IP address from public websites has been placed inside an SSL session making identification of the threat more difficult,” they noted.
Before, the traffic was HTTP over non-standard ports and only occasionally SSL. The non-encrypted portion now only accounts for less than 1% of the data transferred between the compromised host and C2 servers.
A new way of obtaining the system’s IP address and a new User-Agent
“The previous samples all made GET requests to checkip.dyndns.org in order to obtain the IP address of the compromised system. This new variant has shifted to icanhazip.com as the site used for IP identification,” they explained.
“The User-Agent used during the communication by Upatre to date have been non-standard and somewhat unique. User-Agents such as ‘Mazilla/5.0’ have been used for several months, while in the past, other User-Agents such as ‘testupdate’, ‘onlyupdate’, etc have been used. This new variant has changed that to ‘Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0’ which is a more standard User Agent again driven to hinder detection.”
A new way of delivery of additional malware
Most previous Upatre variants used to be delivered to users via an executable masquerading as a PDF file. Once run, the program would download an Adobe document and display it so that the victims’ don’t become suspicious, and the actual Upatre, which would then download additional malware (often the Dyre info-stealer).
A recently detected new sample does not display PDFs to the user anymore. “Now the malicious file download occurs in the background and communication is encrypted with SSL,” the researchers shared.
They have detected at least fifteen unique email spam delivery campaigns – different From address, different subject, and different attachment.
“With the addition of SSL encryption, changes to URL structure, and continually evolving User-Agents, Upatre has clearly evolved and is a sophisticated piece of malware that is mutating to avoid detection post-infection and hide communications in an efficient manner that is difficult to block,” they pointed out.
“This continues to reinforce a common theme of 2015 the basic threats are becoming more advanced. The monetization of hacking is continuing to drive innovation at lower levels of the attack structure and will continue as long as there are significant financial gains at stake.””