A spam email campaign that is using a wire transfer lure—“You’ve been sent $35,292!”—is spreading both the Upatre Trojan and the Dyre remote access tool (RAT) malware.
“During the past week, our telemetry showed [that] this threat was predominately seen in North America and attempts to compromise both consumer and enterprise machines,” said Microsoft researcher Patrick Estavillo said, in a notice from the Microsoft Malware Protection Center (MMPC).
Upatre typically uses spam email campaigns to spread and then downloads other malware onto the infected PC. In this case, the attachment contains a malicious ZIP file, which extracts as an SCR file that imitates a screensaver or an Adobe PDF document. In actuality of course, it’s malware that then sends off for and installs additional malware: the Dyreza (aka Dyre) banking threat, which can steal personal information like online banking user names and passwords.
Dyreza has been busy lately. It was last reported in late October mounting a fresh offensive on the financial sector, with a focus on several banks in Switzerland and the recently uncovered Windows OLE remote code execution vulnerability. In that case, Dyreza again spread via spam emails to victims; purporting to be invoices or account notices from banks. They had a PowerPoint attachment that exploits CVE-2014-4114—the same vector that was first seen abused in Sandworm advanced persistent threat (APT) attacks against targets in Poland and the Ukraine.
US-CERT at the time also issued an alert, noting that phishing mails in the US were using malicious PDF attachments that leverage vulnerabilities (namely CVE-2013-2729) in old, unpatched versions of Adobe Reader to download the malware.
In September, cloud giant Salesforce.com warned customers that Dyreza may be targeting their PCs to steal log-in credentials. “This is not a vulnerability within Salesforce. It is malware that resides on infected computer systems and is designed to steal user log-in credentials and resides on infected customer systems,” the company was quick to note.
Those running up-to-date Microsoft security software are protected from the threat.