Spammers Get Even Sleazier with Attachment within Attachment Technique

picture_Matroschka_Schachtelpuppe
Spammers don’t really need to be any sleazier. The fact is, they’re so slimy that they glide when they walk, but it seems they’re just not content with being among the worst people in society. And perhaps they deserve credit for trying to be even worse. That certainly seems to be the case if a recent article from El Reg is any indication.

The Register reports in an April 8th article that there’s a new attachment threat out there, and for security folks, it just seems we never get a break, not even long enough to have a bowl of Wheaties, from having to deal with a bunch of man-children who thought it would be a neat idea to become a dirtbag as opposed to getting a real life. So in case you missed it, here’s what we know.

According to The Register, “A new variant of the Upatre Trojan comes bundled in spammed messages that imitate emails from known banks such as Lloyds Bank and Wells Fargo. The .MSG file of the malicious emails contains another .MSG file attached with an attached “ZIP” file.” The ZIP file appears to be a secure message from the victim’s bank, password protected and all, but it contains the Upatre variant.

“Opening the “ZIP file” on a Windows machine results in an attempt to infect the machine before a download of a variant of the ZeuS (Zbot) banking Trojan ensues. The Trojan then attempts to snaffle online banking passwords.” Other malware – notably the Necurs malware, which is a known strain bent on disabling security features on a system before it establishes a backdoor – is also deployed, making this threat particularly dangerous.

According to The Register, “Upatre can be likened to a sherpa in the world of cybercrime, setting up a base camp for assaults by other cybercrime tools on weakly secured systems. Previous spam runs of Upatre have been associated with the distribution of the infamous Cryptolocker file-encrypting ransomware threat.”

Upatre is indeed nasty. Once it’s infected a system, it “moves to download different malware from its command and control server”, according to Threatpost.com. Late last year, the Microsoft Malware Protection Center (MMPC) noted a significant spike in spam campaigns utilizing Upatre. The campaign distributed Upatre “with the following malicious attachments where ‘<variable names>’ can be domains, company, and individual names, or even random letters or words: USPS_Label_<random number>.zip, USPS – Missed package delivery.zip, Statement of Account.zip, <number>-<number>.zip, TAX_<variable names>.zip, Case_<random number>.zip, Remit_<variable names>.zip, ATO_TAX.zip, and ATO_TAX_<variable names>.zip.”

One security blog notes that “The NECURS malware is notable for its final payload of disabling computers’ security features, putting computers at serious risk for further infections. It gained notoriety in 2012 for its kernel-level rootkit and backdoor capabilities. It is important to note that we are now seeing an increase of this malware, which can be attributed to UPATRE/ZBOT being distributed as attachments to spammed messages.”

Nearly 97 percent of Upatre’s infections occurred in the United States, according to MMPC. Data indicated that the criminals delivered the Trojan “with exploit kits targeting Java and PDF vulnerabilities as well.”

This begs a discussion on just how bad it’s going to get.  It’s been bad already, but it appears that all the stops have been pulled by the hackers and spammers. And it’s not as if they were playing with kid gloves before. Threats like this pose a severe security threat to organizations and individuals alike, and it’s not as if we haven’t already been hosed by what we thought was a safe course to navigate. The news this week of Heartbleed was (and is) a severe blow to everything we thought we knew. Things aren’t as nearly secure as they’re supposed to be. And rest assured that if we know about it today, the hackers have known about it for a lot longer. Take Heartbleed, which has been in the wild for a full two years!

The question we have to ask ourselves, then, is ‘what’s next?’ The security industry as a whole tends to be very reactive, and for good reason. That’s all it can do. React. Hackers are in love with the idea of zero day exploits, and the fact is, no matter how good our solution is, theirs is always going to be better. They live for this stuff, and while we do it because we get paid for it and we love it, their reasons aren’t always easy to fathom. Sometimes they get paid for it. And they definitely love it.

We’re sure their mothers are terribly proud.

Leave a Reply