Upatre used for political spam campaign (Mar 19, 2015)

The Dell Sonicwall Threat research team have observed a variant of the Upatre Trojan that is used for political spam. In this case the Trojan is used for an anti-drone campaign, urging victims to stand up to the U.S Government against the use of drones in war.

Infection Cycle:

The Trojan uses the following icon to masquerade as a harmless PDF file:

Once infected, the Trojan causes the following PDF file to be displayed on the users desktop:

The Trojan adds the following files to the filesystem:

• %USERPROFILE%Local SettingsTempNltgLr.exe
• %USERPROFILE%Local SettingsTempOIgjpLdRXtPDrik.exe
• %USERPROFILE%Local SettingsTemptemp15.pdf
• %USERPROFILE%Local SettingsTemptmpB0ED.txt (encrypted file)
• %SYSTEM32%configsystemprofileApplication Datanr9bqe8cb6.dll (encrypted file)

The Trojan makes the following DNS queries:

straphael.org.uk
canabrake.com.mx
stun.schlund.de
docs233.com
smtp.docs233.com

The Trojan obtains the external IP address of the infected system from DynDNS and reports the infection to a remote webserver. It uses the Mazilla/5.0 user agent string that is typical of malware from this family:

It leaks information about the currently logged in user and the version of Windows running:

The Trojan downloads the PDF file to be displayed in encrypted form:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Upatre.YYSH (Trojan)
• GAV: Battdil.O (Trojan)