Support is seeing an influx of calls on a spam attack with a Downloader.Upatre threat.
Because the threat is a downloader and the downloaded files have differing behaviors the following is general information on what we are seeing.
The threat generally:
- Arrives as in a .ZIP attachment
- Is initially a .SCR file, but will re-write itself as a .exe after execution
- Files names follow a similar naming convention
- document81723.scr
- payment_ref02812_pdf.scr
- fax8642174_pdf.exe
- document18731.scr
- payment-confirmed2763_pdf.scr
- Downloads additional threats and backdoors. These include: Infostealer.Dyranges, Backdoor.Trojan, and Trojan Horse
- May be detected as Downloader.Upatre, Trojan.Gen.Smh
- May include a non-executable threat artifact.
Remediation is fairly starightforward
- Submit the file; get defs, and a *SCRIBE report.
- Block all C&C communications noted in the report
- Scan and Remove the threat
- Reboot
* we have had some cases where a reboot was required to remove the threat from memory. We are suggesting a reboot on all machines where the threat was allowed to execute.*Because the secondary threats may not be the same for each infection it’s important to get new submissions and stay flexible in your troubleshooting.
*We have had several reports of one of the secondary threats having mass mailing capability as well. This is unconfirmed.
*Whats a SCRIBE Report?
A SCRIBE report is provided to all enterprise submissions and provides technical analysis of the threat. It usually arrives about an hour after the inital submission.
Support Notes:
- Spam attacks should be blocked by a spam filter and should not be allowed to reach the desktop at all. This scenario allows for a much faster conception to infection model.
- These are wide spread indiscriminate attacks and that they do not appear to be targeted.
Customers that have been attacked once are likely to be attacked again with a new variant designed to avoid detection...usually within 24 hours.