Monthly Archives: February 2015

More Upatre privilege escalation

It looks like the Upatre downloader malware has added a new tool that takes advantage of PCs that are missing Windows Update patches from last fall (well, last Northern Hemisphere fall).  In the past few weeks, newer versions of the Upatre malware can silently elevate their payload (the closely-coupled Dyre/Dyreza banking malware) to run as full admin.  These newer versions are using a vulnerability that Microsoft patched in October; however if a PC is not patched, even non-admin users tricked into running Upatre can have the malware elevated to SYSTEM.

Upatre continues to incorporate the AppCompat UAC bypass technique … Read more

Malware using AppCompat for automatic UAC elevation, continued

As noted last time, a blog from last month already documented how the dropper for the Dridex banking trojan uses the UAC auto-elevation feature introduced with Windows 7 along with an Application Compatibility (AppCompat) “shim” to invisibly elevate to full admin on the local machine:
http://www.confer.net/kill-chain-the-confer-blog/80-firewall-rule-changes-and-compatibility-trickery

Dridex is currently being delivered via a separate “wave” of workday/weekday spam emails that attach Office files with VB macros. (Those macros then go off and download the Dridex dropper/installer.) The Dynamoo blog analyzes a lot of these; for example, here’s one from today:
http://blog.dynamoo.com/2015/02/malware-spam-minuteman-press-west-loop.html

The Dridex dropper uses the same auto-elevate bypass … Read more

Upatre downloader malware using AppCompat for automatic UAC elevation

Upatre is a trojan downloader that accompanies work-day/weekday spam email (often via the Cutwail spam botnet).  Sometimes it is delivered by persuading us to click on a link to malicious website; sometimes it is attached to the email, with the message persuading us to open the attached document.  Once started, Upatre’s primary downloads (if not its primary download) are banking trojans — originally Gameover Zeus, now Dyreza.  Over its life Upatre has evolved in several areas, including how it installs the downloaded payload; its usage of a recent technique to automatically gain full admin rights for itself and its delivered … Read more