UPATRE was first spotted in August 2013, after the fall of Blackhole Exploit Kit. Its variants usually arrive onto systems as malicious files attached to spammed messages, or as a link to a malicious website hosting the malware itself.
UPATRE malware, upon installation, will download and execute additional malware on the affected system. Some of the downloaded malware by UPATRE are ZEUS, CRILOCK, DYREZA and ROVNIX variants. Such malware severely compromises the security of the system they affect, and in CRILOCK's case, render it useless due to its file-encrypting routines.
New variants of TROJ_UPATRE are now capable of stealing system information such as the affected system’s computer name and operating system. UPATRE samples are using Adobe acrobat as icon for a file using EXE or SCR as extension specifically those attachment on spam mails. This characteristic is highly suspicious yet unique to UPATRE family. Thus, it can be used as indicator for this threat family.
For further information on TROJ_UPATRE variants that we have already detected, click here.
UPATRE: INFECTION CHAIN and LAYERED SOLUTION
Click image to enlarge.
Pattern Versions and Release Dates
|AntiSpam Pattern||AS Pattern 1280||Jan 24, 2015|
|Virus Pattern||OPR 11.415.00||Jan 16, 2015|
|Behavior Monitoring BM Pattern||OPR 1459||Jul 1, 2015|
|Deep Discovery Pattern||NCIP 1.12195.00||Nov 21, 2014|
|Damage Cleanup Template||DCT OPR 1444||Apr 2, 2015|
|Web Reputation||Jan 14, 2015|
|Major Products||Versions||Virus Pattern||Behavior Monitoring||Email Reputation||AntiSpam Pattern||Web Reputation||DDI Pattern|
|OfficeScan||10.6 and above||Update Pattern via web console||Update Pattern via web console||N/A||N/A||Enable Web Reputation Service*||N/A|
|Deep Security||8.0 and above||N/A||N/A||N/A||N/A|
|ScanMail||SMEX 10 and later||N/A||Enable Email Reputation Service*||Update Pattern via web console||N/A|
|SMD 5 and later||N/A||N/A||N/A|
|InterScan Messaging||IMSVA 8.0 and above||N/A||Enable Email Reputation Service*||N/A|
|InterScan Web||IWSVA 6.0 and later||N/A||N/A||N/A||N/A|
|Deep Discovery||DDI 3.0 and later||N/A||N/A||N/A||Update Pattern via web console|
For recommendations and the best practices that can help you better protect your network using Trend Micro products, refer to this link .