Wire transfer spam spreads Upatre

The Microsoft Malware Protection Center (MMPC) is currently monitoring a spam email campaign that is using a wire transfer claim to spread Trojan:Win32/Upatre.

It is important to note that customers running up-to-date Microsoft security software are protected from this threat. Additionally, customers with Microsoft Active Protection Service Community (MAPS) enabled also benefit from our cloud protection service.

Upatre typically uses spam email campaigns to spread and then downloads other malware onto the infected PC. Emails in the latest spam campaign (as shown below) claim to have sent the recipient a wire transfer of "$35,292.00" and asks them to open the email attachment.

Upatre spam email

Figure 1: An example of the latest spam email spreading Trojan:Win32/Upatre

The attachment contains a malicious ZIP file. We have seen it use the name payment1872.zip, but this can change at any time. The file extracts as an SCR file that imitates a screen saver or an Adobe PDF document as shown in the example below:

Extracted Upatre file

Figure 2: The extracted file imitates an Adobe PDF or screen saver

Trojan:Win32/Upatre is installed when this file is opened.

During the past week, our telemetry showed this threat was predominately seen in North America and attempts to compromise both consumer and enterprise machines.

Upatre encounters by country

Figure 3: Trojan:Win32/Upatre consumer and enterprise machine encounters 9-10 December, 2014

If this threat is successfully installed, it will try and connect to the following URLs to download other malware components:

  • continua.ltd.uk/<removed>.pdf
  • odecarequipa.com/<removed>.pdf

The downloaded components are encrypted and contain PWS:Win32/Dyzap.H. This threat can steal personal information such as your banking user names and passwords.

Microsoft security products, such as Microsoft Security Essentials, include detection for Trojan:Win32/Upatre and PWS:Win32/Dyzap.H from version 1.189.1849.0. To help stay protected we recommend you keep your security software up-to date.

We also encourage people to join our Microsoft Active Protection Service Community (MAPS). Data from MAPS is used by our analysts to help respond quickly to emerging threats. MAPS is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1. You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS:

Enable MAPS

Figure 4: You can take advantage of the Microsoft cloud protection service by enabling the MAPS option in your Microsoft anti-malware security product

We are closely monitoring this and related threats using the telemetry we receive from our customers.

Patrick Estavillo

Comments (3)

  1. adwbust says:

    Uh Windows should consider scr as executable. If user gets Windows executable prompt for files downloaded from Internet, they'll wonder why they're getting the prompt if it's really a pdf! They'll be suspicious and deny it. Windows dev team are you listening?!

    But in this case I guess user will not get prompt because file was from an archive. That removes zone identifier tag? Nonetheless, Windows should always prompt for running/opening executable regardless of origin!!!

  2. fzd says:

    so hard brew-,-

  3. Chris says:

    What a joke, why are people relying on a Microsoft product for security. What mail admin in his right mind is allowing zip or executable attachments? I've been blocking all archive, scripts and executeable attachments since 1999. End user convenience and
    stupidity are the root cause.

Skip to main content