Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015, we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.
Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families. For example:
- The malware reaches out to a command-and-control (C&C) server.
- It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
- Kegotip and Gophe mine information from the user's machine.
- The stolen information is then sent back to the C&C server.
The infection chain
Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family. Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.
Figure 1: Upatre infection chain since January 2015
Where is Upatre most prevalent?
The following chart shows the percentage of Upatre infections in the top 10 countries.
Figure 2: A breakdown of the top 10 countries affected by the Upatre infections since January 2015
Detection rates for these countries is as follows:
| Countries | Upatre infections |
| United States | 5,326,970 |
| Unknown | 4,373,572 |
| Ireland | 789,743 |
| Canada | 97,608 |
| United Kingdom | 75,550 |
| Australia | 26,156 |
| France | 19,098 |
| Spain | 16,335 |
| Mexico | 15,734 |
| Japan | 15,176 |
Figure 3: The data shows the United States having the most Upatre infection since January 2015
Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015
How can you help protect your enterprise software security infrastructure from Upatre?
Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.
A combination of the following will help protect against Upatre:
Use the following free Microsoft software to detect and remove this threat:
- Windows Defenderfor Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
Keep the Microsoft Active Protection Service (MAPS) enabled on your system. See MAPS in the cloud: How can it help your enterprise? for details.
Make sure and keep all software up to date.
Patrick Estavillo
MMPC