Upatre Trojan coming for XP Users

A new phishing campaign, loaded with the Upatre Trojan is circulating that seems to be specifically targeting Windows XP machines (Upatre is a Trojan Downloader family that, once installed, is responsible for stealing information and downloading additional malware onto victim machines.)

Fred Touchette, senior security analyst of AppRiver explains, “We’ve been seeing yet another offering from the Upatre guys. One interesting detail about this line of attack is that they seem to be targeting older, out of date PCs. After running the samples on a couple of different operating systems, they only seemed to want to carry out their malicious intent on machines running Windows XP (I was using SP3). On newer versions it would shut itself down almost immediately after execution. Once operational though, this malware begins to hijack system processes to get a foothold on its new victim. It then reaches out to check its IP address and then looks to communicate with the IP on port 12299 where it reports back with information about the new target such as the IP it had just looked up and the computer name. Following this, the malware adds a good number of registry entries dealing with security certificates, mostly disallowing them and peeks around for debugging tools.”

Detailing the delivery email itself, Fred adds, “It comes in with a rather lengthy, by comparison, email with the subject line ‘Attorney-client agreement’. This story line certainly leaves out a few major details as it begins with a lawyer apparently already in court fighting against some sort of breach of contract suit against the recipient. The opening paragraph even forgives the intended targets for missing court this morning, citing that the court ‘understood’. This must come as a real shock to those of us who don’t keep a lawyer on retainer and those who didn’t realize they were being sued. It probably would’ve been really nice of this mystery lawyer to let you know that this was going on before it got to this point, I would think.”


While this phishing campaign is a classic, although slightly long-winded, social engineering technique employed by cyber thieves the payload in this attack lives in an accompanying attachment with each quasi randomly named by stringing together three different words from an apparent wordlist supplied by the command and control server. This randomization makes it slightly harder to nail down these files, simply because organisations cannot block based on the file name alone. Otherwise, it’s business as usual when it comes to stopping these nuisances.

Fred concludes, “Even on Windows XP these samples seemed a little rickety as they tended to crash after a fairly short period of time, but they did have the best success rate on the XP machines. I wouldn’t be surprised though if this little issue is quickly resolved and we start seeing the next campaign from these guys within the day. Seeing several different themes from this particular family of malware has been commonplace and happening on a daily basis for quite sometime now. My advice, as always, is do not click on links, open or download attachments from unknown senders.”