Upatre: Emerging Up(d)at(er) in the wild

The MMPC is constantly monitoring emerging threats that are impacting our customers the most.

Recently, we started seeing Win32/Upatre being distributed in the wild. This chart shows how this threat has impacted customer machines in just about two months.

Chart showing increase of Win32/Upatre infections in August to September of 2013

Figure 1: Monthly telemetry data on Win32/Upatre downloader


As we see in this next chart, the concentration of infections is in the United States with 96% of total infections, followed by the UK, Canada, and Australia. The high rate of infections in the US may be due to the spam distribution methods, such that infections are being reported via online email services.

Pie chart showing geographic spread of Win32/Upatre

Figure 2:  Monthly telemetry data on Win32/Upatre by country 


We have seen this malware distributed via spam campaigns with email attachments such as the following:

  • USPS_Label_<random number>.zip
  • USPS - Missed package delivery.zip
  • Statement of Account.zip
  • <number>-<number>.zip
  • TAX_<variable names>.zip
  • Case_<random number>.zip
  • Remit_<variable names>.zip
  • ATO_TAX.zip
  • ATO_TAX_<variable names>.zip

The <variable names> can be domains, company and individual names, or may be just random letters or words.

Furthermore, based upon the telemetry, Win32/Upatre is also distributed via exploits kits - such as those delivered via Java and PDF-related exploits.

Win32/Upatre’s end purpose is to download and install PWS:Win32/Zbot.gen!AM. The month after its first appearance, Win32/Upatre also started downloading the VBR bootkit TrojanDownloader:Win32/Rovnix.I.

In the past, PWS:Win32/Zbot.gen!AM was known to use domain generation algorithm (DGA) generated URLs and attempt to download updates. DGA URLs are harder to track than normal URLs as they are usually registered for a very short time by the attacker’s choice. As the attacker knows the algorithm, they are able to predict which domain the malware to attempt to connect at any given date and time.

However, recently we have seen this variant of Zbot configured to download other malware. In particular, we have seen it downloading the "CryptoLock" ransomware that we detect as Trojan:Win32/Crilock.B. After a few days, it was modified to download a different malware, detected as Trojan:Win32/Necurs.A.

This diagram shows the infection chain:

Infection chain for Win32/Upatre

Figure 3: Upatre and Zbot infection


It is worth noting that a recent variant of this downloader (TrojanDownloader:Win32/Upatre.B) shares common modules with its payload malware, Win32/Zbot. The way Upatre’s code has evolved over time has made it easier to allow more URL links to be embedded. It has an export function named loaderConfigSource() that does not contain codes but rather data on URLs from which to download malware:

Figure 4: loaderConfigSource export function


Pseudo code of the core downloading module

Figure 5: Pseudo code of the core downloading module


This may also impact the proper system remediation of Win32/Zbot (or other malware used as the payload in Win32/Upatre variants) because failure to properly detect and block Win32/Upatre may mean your system will get re-infected by Win32/Zbot.

The MMPC team is constantly monitoring emerging threats and ensuring that our protection covers them. As always, we recommend keeping your security products up-to-date.


Rodel Finones




Comments (2)

  1. Question says:

    So what I have seems like a LTE of this? It loads into high mem at 0x10,0x40 12C, 12F etc… it puts a a false acpi driver in the first slot (viewable in EFI shell), and that controls putting up to 8 different other replacement drivers into bios area.
    these are all under a package titled CORE_DXE. It seems to use a video replacement manifest dll to use the video gpu as its source of interactivity with system. far as i can tell its got image paths setup everywhere to link to other blocks of memory and hard
    driver partitions or ramdisk areas and then it has a bunch of set blk0 *dev/string/etc here* then alias blk0 as "FSx/dev/string/ here" and final alias = null so that it protects itself from command based removal. It crashes at system at critical mem blocks
    when using mm (manual memory overwrite).. This is just how it starts, it then goes into a whole zeroaccess, take over your windows os and installation, and put itself into a seperate serevr/client dismhost type of stetup with you as a virtual client…. its
    impossible to scan and impossible to remove… could it be an intereation??? I have a ticket open with a subscription for this problem with you guys recently… if anyone figures it out, itd be nice to know.

  2. JW says:

    We were the first to encounter this variant [TrojanDownloader:Win32/Upatre.AR] and hadn't seen anything like it! To date, we actually seen more of this coming out of Canada, than we do here in the States, which is how this one kicked off on January 15th,

Skip to main content