Support is seeing an influx of calls on a spam attack with a Downloader.Upatre threat.
Because the threat is a downloader and the downloaded files have differing behaviors the following is general information on what we are seeing.
The threat generally:
- Arrives as in a .ZIP attachment
- Is initially a .SCR file, but will re-write itself as a .exe after execution
- Files names follow a similar naming convention
- document81723.scr
- payment_ref02812_pdf.scr
- fax8642174_pdf.exe
- document18731.scr
- payment-confirmed2763_pdf.scr
- Downloads additional threats and backdoors. These include: Infostealer.Dyranges, Backdoor.Trojan, and Trojan Horse
- May be detected as Downloader.Upatre, Trojan.Gen.Smh
- May include a non-executable threat artifact.
Remediation is fairly starightforward
- Submit the file; get defs, and a *SCRIBE report.
- Block all C&C communications noted in the report
- Scan and Remove the threat
- Reboot
* we have had some cases where a reboot was required to remove the threat from memory. We are suggesting a reboot on all machines where the threat was allowed to execute.
*Because the secondary threats may not be the same for each infection it’s important to get new submissions and stay flexible in your troubleshooting.
*We have had several reports of one of the secondary threats having mass mailing capability as well. This is unconfirmed.
*Whats a SCRIBE Report?
A SCRIBE report is provided to all enterprise submissions and provides technical analysis of the threat. It usually arrives about an hour after the inital submission.
Support Notes:
- Spam attacks should be blocked by a spam filter and should not be allowed to reach the desktop at all. This scenario allows for a much faster conception to infection model.
- These are wide spread indiscriminate attacks and that they do not appear to be targeted.
Published 10 years ago
Version 1.0Partners
Follow this blog board to get notified when there's new activity