The Evolution of Upatre: An overview

Number: TR15-001
Date: 27 March 2015

Purpose

The purpose of this report is to provide IT security personnel with an overview of Upatre, a Trojan downloader, and to highlight its development, evolution and current impact as one of the most prominent forms of malware distribution currently in circulation. It is assumed the reader has a working knowledge of malicious software (malware), malware distribution techniques including botnets and Command and Control (C&C) servers, perimeter security, and network intrusion systems. This document may be used by system administrators, Computer Security Incident Response Teams (CSIRTs), IT security operations centers, and other related technology groups.

Introduction

Upatre is used by malicious actors to download additional malware onto a victim’s computer. Upatre has been known to change its tactics to avoid detection, prolonging its existence as one of the more prominent malware downloaders. Its persistence can be attributed to small file sizes, the use of HTTPS, followed by the use of HTTP in addition to employing custom application layer encryption.

This report is a result of CCIRC’s technical analysts’ work in reverse engineering Upatre samples to detect trends and changing tactics. It will explore each of these aspects and provide the reader with suggestions for detection and mitigation strategies and recommended best practices, and also highlight Upatre’s relationship with the Pushdo Trojan and its role within the Cutwail botnet.

Pony Downloader

The specifics of Upatre are better understood when compared to Pony, another downloader that was widely used prior to the emergence of Upatre. First observed in October 2011, Pony is a Trojan downloader and was one of the primary means of distributing malware, namely Gameover Zeus (GoZ), an information stealing Trojan. The primary infection methods included spam emails with malicious executable as attachments or redirection to compromised websites. Upon infection, the Pony downloader would establish an HTTP connection to the compromised websites to obtain the second stage malware, usually GoZ.

Security experts were able to mitigate Pony downloader by blocking the executable being downloaded over HTTP. Criminals were then able to briefly bypass executable blocking by renaming them as image files (.GIF or .Jpeg), but network defenders were able to use the unique, identifiable feature of the executable to block all executables. The first two bytes in an executable file are “MZ”, which allows security software to recognize the executable even when the file extension is modified. Pony's obfuscation technique is limited to changing file extensions.

Identifying an Executable
An executable file, or .EXE, has a unique, identifiable feature that when viewed in hexadecimal, the first two bytes are represented as “MZ”.

More sophisticated than Pony, Upatre uses encryption to hide the entire content of executable files, including the “MZ” bytes that are typically used by network perimeter devices to block executable files.

CCIRC observed that during the first quarter of 2014 the number of newly identified sites used by Pony was decreasing significantly while the number of newly identified Upatre sites had sharply increased (see Figure 1). Pony saw its new site startup numbers surpassed by those of Upatre beginning in the second quarter of 2014 and by April, there were virtually no more newly identified sites being contacted by Pony.

Figure 1: Newly Identified Upatre Sites versus Pony 2012-14

Newly Identified Upatre Sites versus Pony 2012-14
Image Description

The above figure shows newly identified Upatre sites versus Pony between the dates January 2012 and April 2014. This data is represented by using three data sets compared against each other.

Data set 1: The first set of data is newly identified download sites contacted by Upatre using https. This data started in July 2013, steadily increased and peaked in November 2013, and finally tapering off in March 2014, with a slight increase in April 2014.

Data set 2: The second set of data is newly identified download sites contacted by Upatre using http. This data started in August 2013, steadily increased and peaked in April 2014.

Data set 3: The third set of data is newly identified download sites contacted by Pony. The data started in January 2012, with very little data between March 2012 and October 2012. This data then steadily increased until it reached its peak in May 2013, and finally tapered off until March 2014. There was one final peak in November 2013.

Upatre
Upatre is a Trojan horse downloader that was first documented by researchers during the third quarter of 2013. Similar to Pony, Upatre is spread via spam with malicious attachments containing references to fake invoices, shipment notifications or a sum of money awaiting claim, drive-by downloads, and URL redirection. When a machine is infected, Upatre can download a variety of malware including GoZ, Cryptolocker, Cryptowall, Pushdo and most recently Dyreza (Dyre). Upatre is frequently delivered through the Cutwail botnet, which is a spam email system that can deliver hundreds of thousands of malicious spam emails at a time. Cutwail is also used by its criminal operators as a source of revenue through charging individuals and groups who wish to use it as a distribution service to spread their malware, including Upatre.

Cutwail and Upatre

Cutwail has been around since early 2007 and at its peak in 2009; it was believed to be one of the biggest spam botnet, responsible for sending approximately 45 percent of all spam.  Although much of the Cutwail botnet was dismantled in the summer of 2009, it is still one of the most prominent spamming botnets, often infecting users with Upatre and Dyre.

Source: Symantec Official Blog
Trend Micro Security Intelligence Blog

 

Once on a system, Upatre has a high level of persistence and is capable of stealthily installing itself onto a user’s machine and operating autonomously as a process without user consent. A key feature of Upatre is that it uses very small files to infect its victims. While Pony attachments were as large as 2MB, the small size of Upatre attachment (10-20KB) allows it for more efficient use of bandwidth as well as lower detection rates. Once an encrypted payload is downloaded by Upatre, it will delete itself after decrypting the malicious file and writing it to the file system.

Figure 2 CCIRC Upatre Samples (August 2013 – April 2014)

Newly Identified Upatre Sites versus Pony 2012-14
Image Description

The above figure shows CCIRC's Upatre samples that were using HTTPS versus HTTP between the dates August 2013 and April 2014. This data is represented by using two sets compared against each other. The first data set is samples using HTTPS and it peaked in December 2013 and tapered off in January 2014. This data started to increase again in March 2013. The second set of data was nearly non-existent until January 2014 and it steadily increased until April 2014.

Attackers using Upatre have used compromised websites to host their payloads. Once the Upatre infection has taken root on a system, it will call out to these compromised websites to download one of these payloads. CCIRC observed that between August and October 2013, there was a sharp increase in newly identified downloader sites that were used by Upatre rather than Pony (see Figure 2). Over that same period, there was a sharp increase in the overall number of newly discovered samples based on MD5 hashes.  

Pushdo Trojan
In addition to distributing Upatre for other cyber criminals, those behind the Cutwail botnet also use Upatre to recruit new spamming nodes to enhance their botnet. Once on an infected machine, Upatre is used to download the Pushdo Trojan which sends out spam from the infected machine and attempts to drop Cutwail onto other machines.

Pushdo is one of the oldest active malware families, dating back to 2007. Despite four takedowns attempts over the course of five years, it was reported by BitDefender in July 2014 that 11,000 machines worldwide were still infected during a 24 hour observation period. Results taken from recent sinkholing activities of command and control domains suggest that Pushdo is in a growth stage, forming alliances with some other significantly larger botnets. Pushdo employs Domain Generation Algorithm (DGA) techniques to communicate with its C&Cs, making blocking communication nearly impossible.

Upatre Custom Application-layer Encryption
A file encrypted with the custom application-layer encryption was detectable by the first few bytes. When viewed in hexadecimal, they were “ZZP”.


Image Description

The above figure shows a GET request using the "Updates downloader" User-Agent string. It also shows a HTTP 200 OK response, followed by the data represented in hexadecimal. The first three bytes of the hexadecimal data are "ZZP", showing that this data was encrypted using Upatre's custom application layer encryption.

Two variants of Upatre: HTTPS, then HTTP
Early variants of Upatre attempted to compromise websites that employed Secure Socket Layer (SSL) encryption in order to make it more difficult to detect malicious URLs as most proxies do not decrypt SSL communication. One identifiable feature of Upatre during this time was the user-agent string commonly used, “Updates Downloader”. Malicious files were being overlooked at the proxy level and thus were able to evade outdated security tools, lagging patches and security updates.

The developers of Upatre also created a new method of encryption, using a custom application-layer encryption mechanism instead of transport layer encryption (e.g. SSL). At the onset of this shift, this feature was identifiable by the first few bytes of the file being downloaded, the key identifier being “ZZP”. Upatre decrypts these files through a key found in the downloader to get the compressed version of the executable. Afterwards the Upatre variant undergoes a decompression routine on the decrypted portion of the file to produce the executable.   

The first quarter of 2014 saw the criminals behind Upatre change direction by using HTTP communication instead of HTTPS. One reason for this change could be because there are significantly more HTTP sites available, resulting in less overhead and a healthier bottom line for criminals developing malware. By the second quarter of 2014, Upatre was calling out to more HTTP sites than HTTPS (see Figure 3).

Researchers have observed that the lifespan of a malicious file being hosted on an HTTPS site appears to be considerably longer than that of one being hosted on an HTTP. This is likely the case because it takes more time for security professionals to identify malicious files hosted on a HTTPS website.

Figure 3: CCIRC Upatre HTTP vs. HTTPS Download Sites (August 2013 – April 2014)

Newly Identified Upatre Sites versus Pony 2012-14
Image Description

The above figure shows newly identified download sites contacted by Upatre using HTTPS compared to sites using HTTP between the dates August 2013 and April 2014. This data is represented by using two data sets compared against each other. The first data set is newly identified download sites contacted by Upatre using https. This data started in August 2013, steadily increased and peaked in November 2013, and finally tapered to low levels in March 2014. The second data set is newly identified download sites contacted by Upatre using http. This data set started in August 2013 and gradually increased until April 2014.

First change in the HTTP version: user-agent strings
Security experts were able to detect and block some Upatre downloaders using the identifiable features however Upatre adapted to evade detection. The identifiable features such as “ZZP” bytes and “Updates Downloader” user-agent strings were replaced by a variety of arbitrary bytes and user agent strings. Some of the user-agent strings include:

User-agent strings

Updates downloader

Firefox/5.0

Mozilla/5.0

2508Inst

FixUpdate

onlymacros

2608cw-2

iMacros

Opera

2808inst

litle update

Opera10

aaaaaaa bbbbbbbbbb

macrotest

OperaMini

CheckUpdate

Mazilla

Tintin

Conchita Wurst

Mozilla

Treck

Firefox

Mozilla/4.0

 

Second change in the HTTP version: file extensions and magic bytes
Early variants of malware distributed by Upatre were identifiable when viewed in hexadecimal to security professionals even though they were encrypted. The first two bytes were always the same, i.e. “ZZP” (often referred to as the “magic number”). Over time researchers discovered some malware samples did not have the ZZP magic bytes; the files were encrypted however were not being identified by anti-virus software. In addition, the malware files which at first were all named with the .enc extension were later named with diverse extensions including tar.gz, .PDF and many other names, including names that do not are normally used. These later variants became very difficult for security professionals to block as the “ZZP” bytes and the .enc extension were the only identifiable features that were known.

Present day Upatre and Environmental Components (Ecosystem)
Upatre has essentially evolved into the epicenter of the spam/malware universe capable of supporting an entire malware ecosystem. Distributed via the Cutwail botnet, Upatre is capable of retrieving several varieties of malware. In particular, Upatre can download and install GoZ, Cryptowall, Dyre and Pushdo. Pushdo then serves to support the ecosystem by installing Cutwail on user machines.

Figure 4: Upatre's Ecosystem

Newly Identified Upatre Sites versus Pony 2012-14
Image Description

The above figure is a flow chart on Upatre's Ecosystem:

  1. The Upatre Trojan is delivered by either the Cutwail botnet using spam emails, or through drive by download through exploit kits.
  2. The Upatre Trojan may drop additional malware, including PushDo Trojan, GOZeus Botnet, Cryptowall or Dyre Trojan.
  3. GOZeus botnet may deliver Cryptolocker.
  4. PushDo Trojan will deliver Cutwail.

According to CCIRC statistics, the kind of malware being downloaded by Upatre has changed significantly since its early days. Figure 5 shows this evolution.

GoZ dominated Upatre’s ecosystem up until a successful takedown operation occurred in June 2014, which resulted in the nearly complete elimination. By the end of 2014, Upatre was primarily delivering Pushdo, Dyre, and Cryptowall. Looking ahead, Dyre, an information stealing Trojan similar to GoZ, continues to be a significant concern in the first quarter of 2015.

Upatre continues to evolve and change its tactics to evade detection. Upatre’s custom application layer encryption alters every few months, making blocking difficult. It continues to be widely used by cyber criminals as a vector for downloading and installing additional malware.

Figure 5: Malware using Upatre Downloader (April – November 2014)

Newly Identified Upatre Sites versus Pony 2012-14
Image Description

The above figure shows the different types of malware that have been delivered by the Upatre Trojan between the dates April 27, 2014 and November 30, 2014.

Cryptowall was first observed in July 2014. Newly discovered sites used by Upatre to deliver Cryptowall were typically being discovered a few at a time, with small peaks every other week until mid-October 2014.

Cryptowall 2.0 was  spotted a few times  between late July and mid-August 2014, but was not spotted again until November 2014. It was not observed as frequently as Cryptowall: one or two new sites delivering it were being discovered at most every week.

Dyre was first observed in July 2014, rose sharply and peaked in the middle of August 2014 and fell dramatically a few days later in August 2014. Few new sites used to install Dyre were observed during September, but October was definitely a big month for Dyre with more than 25 new sites having been discovered in the week of the 26th. Dyre was still being delivered by Upatre November, although fewer sites have been discovered.

Gameover Zeus was the first malware being dropped by Upatre. Although the graph only shows the number of newly discovered sites used to drop it since April 2014, it was being dropped since August 2013. The number of newly discovered sites used to drop Gameover Zeus peaked in June 2014, and finally tapered off in August 2014.

Kogotip was observed sporadically no more than twice a week between July 2014 and October 2014.

PushDO 3.2 was first observed in June 2014 and would peak in the middle of every month until October, where it rose higher. There was a sharp decrease at the beginning of November 2014, but later the same month the number of sites rose higher event than in October.

PushDO Mv20 was observed twice: once in early September 2014 and once around mid-October 2014.  

Tuscas was observed only once in the middle of July 2014.

Conclusion
Upatre is a stealthy piece of malware that has proven capable of changing its tactics to remain one of the more prominent malware downloaders. As security vendors improve their detection methods for Upatre, its creators are continually updating the Trojan with new features to make it harder to find and remove.

Throughout this research, as shown in Figure 5, CCIRC has identified numerous websites infected with Upatre.  As the national CSIRT, CCIRC has contributed to improving the cyber landscape by notifying the owners of these websites and offering assistance.

This research also gives some insight on how criminals reacted to the takedown of Gameover Zeus, which occurred in early June 2014 and was referred to by the media as “Operation Tovar”. Gameover Zeus was dropping Cryptolocker, a crypto-ransomware that was undoubtedly an important source of revenue for its authors. It is not surprising then to observe Upatre started dropping Cryptowall, another crypto-ransomware, to compensate for the loss of revenue due the reduction in Cryptolocker infections. Following Operation Tovar, Dyre appeared and quickly became one of the most prominent banking Trojans observed by CCIRC. A banking Trojan (Dyre) thus replaced another banking Trojan (Gameover Zeus) and a crypto-ransomware (Cryptowall) replaced another crypto-ransomware (Cryptolocker). This entire ecosystem stays healthy thanks to Pushdo, which recruits new spamming computers in order to send out more Upatre Trojans as attachments.

Despite the rise of Dyre and Cryptowall, Operation Tovar was a successful operation as it led to criminal charges and the seizure of a database containing the decryption key for numerous Cryptolocker victims, as reported by the BBC on August 6th 2014. This operation was successful primarily because it was a coordinated effort to which numerous government agencies, private corporations, and academic researchers contributed.

As malware evolves, it is important that organizations strengthen the defense of their network perimeter and also keep their users educated regarding secure IT practices regarding potentially malicious attachments and hyperlinks.

Mitigation Strategies and Suggested Actions
CCIRC recommends that organizations review the following actions and consider their implementation in the context of their network environment.

Further Reading;

Appendix

Pushdo Trojan
Pushdo is a multipurpose Trojan that installs Cutwail, which then distributes Upatre. Pushdo is one of the oldest active malware families and is estimated to still be in a growth stage. DGA is used as a fallback mechanism if there happens to be C&C communication problems. Pushdo also simultaneously delivers HTTP requests to some 300 lesser known, but legitimate, websites, which mixes in with traffic meant for the command-and-control hub.

Cryptowall
Cryptowall is a particularly effective piece of ransomware, delivered by way of Upatre, which encrypts a user's files then demands a Bitcoin ransom be paid in order to decrypt the files. Cryptowall infections sometimes use malvertising as an infection vector, but various forms of email spam are also used. For example, users may receive an email that explains how money intended to be transferred is being held up by a small erroneous detail. The email contains a zip file with the details of the transfer. However the zip file doesn't contain transfer information but rather a harmful .scr file.

Dyreza (Dyre)
Historically the Dyre banking Trojan was known to steal the banking and credit card information of individual customers of major banks through phishing campaigns and man in the middle attacks. However, recently Dyre has been used in Advanced Persistent Threat (APT) campaigns on large scale enterprises and bitcoin trading websites. When a company's electronic systems become compromised, malicious actors patiently wait in the system for months at a time, harvesting data and waiting for the opportune time to strike. Originally discovered when researchers were examining a persistent drop box campaign, it was revealed that attackers adopted a new delivery method using an altogether new malware strain (Dyre). In October 2014 a Dyre campaign began with thousands of emails circulating with “unpaid Invoic” as the subject and Invoice621785.pdf as the attachment. Once opened, the PDF installed a version of Dyre that remains persistent on the system and listens for financial information. Further, Dyre leverages the services of Session Traversal Utilities for NAT (STUN), a standardized set of methods and a network protocol to allow an end host to discover its public IP address if it is located behind a network address translation (NAT) device. In December 2014 Dyre was also used to conduct a wire transfer spam campaign that began with Upatre creating a conduit for Dyre.

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: