Upatre downloader malware using AppCompat for automatic UAC elevation

By | February 8, 2015

Upatre is a trojan downloader that accompanies work-day/weekday spam email (often via the Cutwail spam botnet).  Sometimes it is delivered by persuading us to click on a link to malicious website; sometimes it is attached to the email, with the message persuading us to open the attached document.  Once started, Upatre’s primary downloads (if not its primary download) are banking trojans — originally Gameover Zeus, now Dyreza.  Over its life Upatre has evolved in several areas, including how it installs the downloaded payload; its usage of a recent technique to automatically gain full admin rights for itself and its delivered payload indicates the procedure is now “mainstream.”

With Windows XP fading last year, getting local administrative rights (and thus taking over the PC) is no longer automatic — while it’s not a security boundary, PCs with Windows 7 and 8 now usually display a visible User Account Control (UAC) prompt.  Early versions of Upatre “just” started the downloaded executable, which was good enough with XP.  By early 2014, the binary was given a manifest to force a UAC prompt — a lot of users will elevate without question.  (The more annoying the prompting is, the better chance of the user accepting elevation in order to make the prompting stop — such as in the case of an endless loop of prompts.)

Then I took the last half of 2014 and early 2015 off, so I missed this until now: if Upatre successfully downloads Dyreza, it is invisibly “auto-elevating” the banking trojan to run as a full administrator at install time — assuming the right conditions (which are also popular conditions) are met.  The recent blog “Firewall Rule Changes and Compatibility Trickery”, notes a case of an installer for the Dridex banking trojan doing another variation on the same there:
http://www.confer.net/kill-chain-the-confer-blog/80-firewall-rule-changes-and-compatibility-trickery

Doing a little searching online, it looks like some malware has been using this technique since early last year; something close to a definitive post was made on KernelMode.info recently, including demonstration code:
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643&start=10#p24723

In the case of Upatre, I observed the behavior of this binary that was spammed out on Friday (6 February; MD5 = 1d38c362198ad67329fdf58b4743165e):
https://www.virustotal.com/en/file/5387585bc905f6304b190493af158a714bdd0baed1be7e81db40407d4a92af01/analysis/

Prior to installing the downloaded payload (Dyreza), Upatre checks to see if the user for the current desktop/session is an administrator; PCs often default to what amounts to a single user install, with that user being an administrator of the local machine.  On Windows 7 and 8, the default is also for admin users to be logged in with a “split token” (“Administrator Approval Mode”); when Upatre detects this, it drops a pre-built Application Compatibility (AppCompat) database file in the infected user’s profile and launches a pre-installed operating system utility (sdbinst) to install it; the process command line looked a lot like this:

"C:\Windows\system32\sdbinst.exe" /q "C:\Users\%USERNAME%\AppData\Local\Temp\\..\..\LocalLow\com.%USERNAME%.sdb"

(Upatre is 32-bit, so this will evaluate a little differently on 64-bit Windows.)

The AppCompat database file is a small shim that applies the “RedirectEXE” patch to another pre-install operating system utility, iscsicli.exe.  The shim redirects execution of iscsicli.exe to this path: “%temp%\..\..\LocalLow\cmd.%username%.bat”, which usually evaluates to the same location as the pre-built SDB file (“C:\Users\%USERNAME%\AppData\LocalLow”).  Upatre also drops this file, which basically points back to itself.

AppCompatAdmin.composite

iscsicli.exe is marked as requiring admin rights; however, the default UAC setting in Windows 7 and 8 “auto-elevates” Windows utilities like this — in truth, sdbinst.exe was also auto-elevated in order to install the shim database in the first place.  Assuming Upatre was able to set up the RedirectEXE shim, it then launches iscsicli.exe.  The new iscsicli.exe process auto-elevates to “full” admin invisibly, then the RedirectEXE shim kicks in and launches the batch file, which points back to (and launches) Upatre.  If all of that worked, a new instance of Upatre is now running with full admin rights on the PC, and it can do pretty much whatever it wants.  (The admin instance pretty much launches Dyreza and Dyreza then does its own admin-or-not checking as a part of its installation.)  Meanwhile, the original, non-admin instance of Upatre cleans up, uninstalling the AppCompat shim, deleting the dropped SDB file, and deleting the batch file.

Procmon.ProcessTree
Procmon.ProcessTree2

Looking around online for the small, pre-built SDB file that Upatre drops provides some idea about how long it has used this technique “in the wild”; the MD5 for it is 6e0bdb9e821a27bf740c98d6a60594bc and it was first submitted to VirusTotal in the middle of November of last year (a few months ago):
https://www.virustotal.com/en/file/04176b2414414fcb81100fac2dd5d42bd8c50038f414a61714838d9387d8c1f1/analysis/

This implies that even Upatre has been using this technique in an attempt to invisibly elevate its installations at least since then.

Selected AppCompat references:
http://www.wessner.de/?p=21
http://blogs.technet.com/b/askperf/archive/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff.aspx

Some recent Upatre references:
http://blog.trendmicro.com/trendlabs-security-intelligence/cutwail-spambot-leads-to-upatre-dyre-infection/
http://research.zscaler.com/2014/11/evolution-of-upatre-trojan-downloader.html
http://phishme.com/evolution-upatre-dyre/