Upatre used for political spam campaign (Mar 19, 2015)
The Dell Sonicwall Threat research team have observed a variant of the Upatre Trojan that is used for political spam. In this case the Trojan is used for an anti-drone campaign, urging victims to stand up to the U.S Government against the use of drones in war.
Infection Cycle:
The Trojan uses the following icon to masquerade as a harmless PDF file:
Once infected, the Trojan causes the following PDF file to be displayed on the users desktop:
The Trojan adds the following files to the filesystem:
- %USERPROFILE%Local SettingsTempNltgLr.exe [Detected as GAV: Upatre.YYSH (Trojan)]
- %USERPROFILE%Local SettingsTempOIgjpLdRXtPDrik.exe [Detected as GAV: Battdil.O (Trojan)]
- %USERPROFILE%Local SettingsTemptemp15.pdf
- %USERPROFILE%Local SettingsTemptmpB0ED.txt (encrypted file)
- %SYSTEM32%configsystemprofileApplication Datanr9bqe8cb6.dll (encrypted file)
The Trojan makes the following DNS queries:
straphael.org.ukcanabrake.com.mxstun.schlund.dedocs233.comsmtp.docs233.comThe Trojan obtains the external IP address of the infected system from DynDNS and reports the infection to a remote webserver. It uses the Mazilla/5.0 user agent string that is typical of malware from this family:
It leaks information about the currently logged in user and the version of Windows running:
The Trojan downloads the PDF file to be displayed in encrypted form:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Upatre.YYSH (Trojan)
- GAV: Battdil.O (Trojan)
